amuck-landowner

Might wanna recompile or patch that OpenSSL, buddy (4/7/2014)

Sardonik

New Member
As a curious hobbiest, I'm a bit confused about something...

Heartbleed has prompted much discussion about the need to change passwords and reissue/revoke SSL certs, but it seems to me that there's at least one more potential level of evil here. If secure comms have, potentially, been compromised for years, it seems likely that at least some systems have been compromised using sniffed admin credentials. Acting to preserve root access once it's been gained seems like a logical next step, assuming a stealthy root-kit style compromise is available to the attackers.

Can we really trust the OS currently installed on systems which were setup prior to application of the heartbleed bug patch and which use CPanel etc for administration? If SSL reissuance/revocation is considered prudent as a reaction to this bug, shouldn't OS re-installation also be indicated?
 
Last edited by a moderator:

tchen

New Member
If SSL reissuance/revocation is considered prudent as a reaction to this bug, shouldn't OS re-installation also be indicated?
Varying degrees of yes.  Most of the bigger shops (outside of hosting) should have tripwires and other host based intrusion systems in place that would detect direct manipulation of the system - hence why most press-releases concentrate on just the SSL endpoint.  If you lack basic monitoring however, then your right - there's a low trust level associated with anything on your server - which would have been the case anyways without Heartbleed, right?
 

Sardonik

New Member
Thanks, that makes sense. I didn't factor tripwire modification monitoring into the equation.

Sent from my SM-N900T using Tapatalk
 

MCH-Phil

New Member
Verified Provider
I don't see the problem.  Patches are good.  No patches is bad.  There will always be more patches.
 

peterw

New Member
Oh shit: https://www.imperialviolet.org/2014/04/19/revchecking.html

Revocation checking is in the news again because of a large number of revocations resulting from precautionary rotations for servers affected by the OpenSSL heartbeat bug. However, revocation checking is a complex topic and there's a fair amount of misinformation around. In short, it doesn't work and you are no more secure by switching it on. But let's quickly catch up on the background.
The browsers do not check if the ssl certificates are revoked. And they cannot do it by lists and they cannot do it by a check service. So all your revoked ssl certificates are still valid for the browsers until their validity ends.
 

MCH-Phil

New Member
Verified Provider
More misinformation :D  Chrome, specifically, will inform you of certificate revocation.  I have personally seen it happen :)

Now I can't verify how active that is, if say I would refresh 100 times how many times that check would be performed or maybe it's stored etc..  If the OSCP servers are down ofcourse no protection.   But something > nothing?
 
Top
amuck-landowner