heartbleed bug
TRANSCRIPT
1
Heartbleed Bug
Nikhil P L
2
What is Heartbleed Bug?
Heartbleed bug is a vulnerability in OpenSSL.
OpenSSL is encryption software that accesses
websites through a “secure” connection,
HTTPS://.
Heartbleed bug requests can be sent WITHOUT
authentication to the server.
3
TCP/IP Layers
The SSL is located between TCP (Transport layer) and HTTP protocols (application layer)
4
SSL Protocols
Handshake ProtocolUsed to facilitate Authentication of server and client
Record Protocolfacilitates the exchange of encrypted messages
Alert ProtocolIf an error is encountered, it is dealt with by the Alert Protocol
5
When happened when?
OpenSSL released March 2012Patch released 21 March 2014
(Some fixes had already been put in place then)Publicly reported as vulnerable 1 April 2014First proven attempted exploit 8 April 2014Intentional vulnerability test 12 April 2014
6
What versions of the OpenSSL are affected?
OpenSSL 0.9.8 branch is NOT vulnerable
OpenSSL 1 .0.0 branch is NOT vulnerable
OpenSSL 1 .0.1 g is NOT vulnerableOpenSSL 1 .0.1 through 1 .0.1 f (inclusive) are vulnerable
7
How may sites are vulnerable?
8
Memory disclosure: what exactly can an attacker get?
Private crypto keys - the keys to the kingdom, or at least the server.Usernames and PasswordsSession identifiersPrivate data – data payloadsMeta data for the SSL session, programming structure pointers - may defeat other exploit protections
9
What should you do?
Change all passwords as soon as you can. Find out which sites are vulnerable
On vulnerable sites that have been patched:Old passwords may be compromised
On sites not yet patched (ask about current status):
New passwords may become compromised, so change them regularly
On sites not affected:Was same password used elsewhere?
10
Which sites are not affected?
Almost all financial service sites are OK.
11
Which are common patched sites?
12
Thanks