PDA

View Full Version : Heartbleed virus and linux Server for LMS only



garym
2014-04-14, 17:42
I've read a lot about the heartbleed virus and the impact on end users related to companies that were affected. And I've read that many of our own routers are affected due to their use of OpenSSL. I understand the userid/password issues at many of the sites, etc. But I'm a bit confused about the effect of our own routers and future problems. Particularly with a computer that's just a LMS sever (local files and internet radio streaming). default router install (no ports "opened" etc.).

Any network gurus out there that can clarify. Thanks.

pippin
2014-04-14, 18:19
a) it's not a virus, it's a bug in certain versions of OpenSSL.
b) Your router will only be affected if you enabled remote administration over SSL over the internt. Something you should not do anyway.
c) LMS will never be affected. LMS has no security at all and doesn't even use any form of SSL. So if there's no security there's nothing that can be breached.... If you opened up your LMS server to the internet through port forwarding it will always be pretty much unsecured. If you don't, it will be contained in your local network and therefore safe (unless someone breaks into your local network).

garym
2014-04-14, 18:22
a) it's not a virus, it's a bug in certain versions of OpenSSL.
b) Your router will only be affected if you enabled remote administration over SSL over the internt. Something you should not do anyway.
c) LMS will never be affected. LMS has no security at all and doesn't even use any form of SSL. So if there's no security there's nothing that can be breached.... If you opened up your LMS server to the internet through port forwarding it will always be pretty much unsecured. If you don't, it will be contained in your local network and therefore safe (unless someone breaks into your local network).

thanks pippin. That's what I wanted to understand. I don't do remote admin over SSL so that's a nonissue. I was assuming that without any port forwarding I was OK, but the stuff I read on the net didn't fully clarify that (for me at least).

pippin
2014-04-14, 18:25
Oh... if you DO want to open up your local infrastructure to the internet for remote use, there are three common ways:
1. A VPN (Virtual Private Network). The most common VPN implementations should be safe because they don't use SSL
2. SSH tunneling. While SSH often shares some crypto libraries with OpenSSL the bug was not in the encryption itself but in the transmission protocol so you are still safe.
3. SSL tunneling. If you use an SSL tunnel to do remote access through a web server you are unsafe and should update OpenSSL and change keys/certificates and passwords.

pippin
2014-04-14, 18:39
thanks pippin. That's what I wanted to understand. I don't do remote admin over SSL so that's a nonissue. I was assuming that without any port forwarding I was OK, but the stuff I read on the net didn't fully clarify that (for me at least).

Well, you read a lot of nonsense on the internet, especially in mainstream media outlets. They rarely ever have writers who really understand what was happening so the quality of the output is mixed.

Generally speaking, this is what happened:
1. OpenSSL is a software that provides SSL encryption for network connections (mainly used in web servers) on Linux platforms. SSL is the encryption being used for secure web sites.
2. The latest version of OpenSSL has had a bug for almost two years which allowed someone to request some amount of information out of the memory of the server OpenSSL is running on. This had nothing to do with the encryption itself which was not breached. Good explanation: https://xkcd.com/1354/
3. It happens that a web server running encryption often handles stuff that needs to be encrypted and might hold it in it's memory. This could be username/password combinations just transmitted or the actual encryption "keys" (certificates).
4. So you could theoretically request and record all of this information systematically and then search for username/password combinations or keys. In theory, someone could have done this for several years.
5. It's unlikely, though, that this has happened systematically on major sites because then it would likely have raised some attention at some point due to the weird traffic it generates.

There are several reasons the bug is so severe:

1. It has nothing to do with the encryption or the connection itself. So while you can't systematically search for _your_ password using this bug someone _can_ accidentally get hold of your password _without having to intercept your data_. That's an important point, for a lot of other attacks _you_ need to be attacked, this is not the case here.
2. Since it dates so far back and since even the SSL certificates could theoretically be stolen all encryption certificates being used with OpenSSL prior to a fix have to be regarded as insecure.
3. For the same reason, all password you have used on an insecure site over the last two years has to be regarded as insecure.
4. _Theoretically_ someone who collected your communication data over the last few years could have _later_ decrypted it when he got hold of the "keys". This is something that probably especially applies to bigger organizations like the NSA but you can't rule out that lesser criminals do the same if they know they have a chance to get hold of the encryption key later.

But as said above: It's mainly about web servers or all other infrastructure that uses SSL to secure an otherwise open connection.

garym
2014-04-14, 18:48
Aha. I knew I'd get a better explanation here. And the comic book description works well for me!