Might wanna recompile or patch that OpenSSL, buddy (4/7/2014)

[Sardonik]

As a curious hobbiest, I'm a bit confused about something...

Heartbleed has prompted much discussion about the need to change passwords and reissue/revoke SSL certs, but it seems to me that there's at least one more potential level of evil here. If secure comms have, potentially, been compromised for years, it seems likely that at least some systems have been compromised using sniffed admin credentials. Acting to preserve root access once it's been gained seems like a logical next step, assuming a stealthy root-kit style compromise is available to the attackers.

Can we really trust the OS currently installed on systems which were setup prior to application of the heartbleed bug patch and which use CPanel etc for administration? If SSL reissuance/revocation is considered prudent as a reaction to this bug, shouldn't OS re-installation also be indicated?

 

[tchen]

If SSL reissuance/revocation is considered prudent as a reaction to this bug, shouldn't OS re-installation also be indicated?

Varying degrees of yes.  Most of the bigger shops (outside of hosting) should have tripwires and other host based intrusion systems in place that would detect direct manipulation of the system - hence why most press-releases concentrate on just the SSL endpoint.  If you lack basic monitoring however, then your right - there's a low trust level associated with anything on your server - which would have been the case anyways without Heartbleed, right?

 

[Sardonik]

Thanks, that makes sense. I didn't factor tripwire modification monitoring into the equation.

Sent from my SM-N900T using Tapatalk

 

[peterw]

Vmware long list of patches: OTA_HotelResRS

 

[DomainBop]

Just when you thought the patching was over...Debian releases yet another patch for Wheezy to fix more vulnerabilities.

April 17th patch: https://www.debian.org/security/2014/dsa-2908

new: 1.0.1e-2+deb7u7

 

[MCH-Phil]

I don't see the problem.  Patches are good.  No patches is bad.  There will always be more patches.

 

[beast5]

Useful test

http://filippo.io/Heartbleed

thank you

 

[peterw]

Oh shit: https://www.imperialviolet.org/2014/04/19/revchecking.html

Revocation checking is in the news again because of a large number of revocations resulting from precautionary rotations for servers affected by the OpenSSL heartbeat bug. However, revocation checking is a complex topic and there's a fair amount of misinformation around. In short, it doesn't work and you are no more secure by switching it on. But let's quickly catch up on the background.

The browsers do not check if the ssl certificates are revoked. And they cannot do it by lists and they cannot do it by a check service. So all your revoked ssl certificates are still valid for the browsers until their validity ends.

 

[MCH-Phil]

More misinformation  Chrome, specifically, will inform you of certificate revocation.  I have personally seen it happen

Now I can't verify how active that is, if say I would refresh 100 times how many times that check would be performed or maybe it's stored etc..  If the OSCP servers are down ofcourse no protection.   But something > nothing?