cooper Posted April 8, 2014 Share Posted April 8, 2014 There a bug in OpenSSL 1.0.1 up to f (g is safe) and 1.0.2 up to beta1 (beta2 is safe). It's listed at the top. Here's a python script that can test a site for the vulnerability. There's an online version here BUT that one logs the name and status of a tested site, as can be seen here so you might not want to use that... Quote Link to comment Share on other sites More sharing options...
cooper Posted April 8, 2014 Author Share Posted April 8, 2014 One very big thing to note about this vulnerability: For the 2-year period that this bug existed anybody who knew about the issue was capable of reading a vulnerable site's memory, including the location that housed your private key. That means if you acquired a certificate (self-generated or bought) and used it on a vulnerable server, you need to do the following: 1. Update your software to prevent further exploitation. 2. Revoke your certificate. 3. Generate a new private key. 4. Get a trusted third party to reissue you a signed cert. That last one will cost you money but you originally paid good money to get a certificate so you could use an encrypted communication channel which would seem to indicate it's worth something to you to have this communication channel secure. The cornerstone of that encryption has been compromised and until you replace it you cannot trust the communication channel to be secure. It wouldn't be a bad idea to change any and all server-local passwords either. Quote Link to comment Share on other sites More sharing options...
mw3demo Posted April 8, 2014 Share Posted April 8, 2014 wifipineapple.com is vulnerable Quote Link to comment Share on other sites More sharing options...
Dec100 Posted April 9, 2014 Share Posted April 9, 2014 Qualys have added the test to their SSL test page now too - https://www.ssllabs.com/ssltest/index.html Quote Link to comment Share on other sites More sharing options...
i8igmac Posted April 9, 2014 Share Posted April 9, 2014 I see the scanners floating around... does any one have a eexample of this exploit reading data ? I guess you can read data from running Services... can you pull a process list? Can you read local files? Quote Link to comment Share on other sites More sharing options...
cooper Posted April 9, 2014 Author Share Posted April 9, 2014 "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication." Source Quote Link to comment Share on other sites More sharing options...
cooper Posted April 10, 2014 Author Share Posted April 10, 2014 Note that this means your forum password should be considered suspect (i.e. public) now aswell. On all affected https websites which, I fear, includes this one. Quote Link to comment Share on other sites More sharing options...
Stevie Posted April 11, 2014 Share Posted April 11, 2014 There is also questions on the legality of the scanners. As scanning a site without the owners permissions is technically illegal. However as it's for good intentions, the law isn't being enforced. Quote Link to comment Share on other sites More sharing options...
cooper Posted April 11, 2014 Author Share Posted April 11, 2014 "However as it's for good intentions" ORLY? :) "the law isn't being enforced" ORLY??? 8-0 Quote Link to comment Share on other sites More sharing options...
barry99705 Posted April 13, 2014 Share Posted April 13, 2014 There is also questions on the legality of the scanners. As scanning a site without the owners permissions is technically illegal. However as it's for good intentions, the law isn't being enforced. Uh, no. Unless you have permission, written permission it best, it's illegal. PERIOD! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.