I have been following news about the OpenSSL Heartbleed vulnerability for the last few days and I wanted to highlight how it might affect just about anyone for posterity. First some facts:
- OpenSSL is an open source implementation of SSL/TLS.
- OpenSSL implementations can be found running on Apache and nginx.
- 50% of the world’s web servers run Apache.
- About 15% run nginx.
- This bug was introduced to OpenSSL in 2011 (previous versions are not affected).
- The bug introduced a missing bounds check in the handling of the TLS heartbeat extension and can be used to reveal up to 64k of memory to a connected client or server.
- A patch has been made available for the bug.
While OpenSSL has not been used directly by or in Windows products (e.g. IIS), the same problems may apply in theory if you are using nginx as the SSL termination point. Is Apache or nginx hardware currently in you network and does it process secure external communications?
So what is at risk? I have seen the results of this exploit directed at Yahoo servers and it returned in plain text the passwords and session info for other users. What may be even worse is that the private key of the certificate may also be leaked using the same technique, this would allow an attacker to go on to decrypting past and future data.
After patching the vulnerability, reissuing the certificates would be the next steps, however, not all browsers check for revoked certificates by default (Chrome comes to mind) and will thus continue to send data using compromised key pairs.