[VFOSSA] Fwd: Lỗi bảo mật OpenSSL HeartBleed

[Vu The Binh]

Anh em tham khảo thêm:

-- 
It is hard to say exactly which apps/services are affected. This is
because OpenSSL is a collection of programming code (referred to as a
"library") that can be used to add TLS support to an application or
system. TLS (Transport Layer Security) provides secure connections, and
is best known for being the security layer behind HTTPS websites.

So if a programmer were writing a program that needed to use TLS to
connect to something, they can use the OpenSSL library to add that
ability to their app.

The OpenSSL library itself is constantly being improved, like many other
bits of software. During this process, the Heartbleed bug was
accidentally introduced in OpenSSL version 1.0.1, which was released on
14th of March 2012. It remained present through to version 1.0.1f
(inclusive) and was fixed in 1.0.1g, released on 7th of April 2014 .

This means that any application that uses those OpenSSL versions for TLS
is potentially affected. No doubt the affected developers have fixes in
progress.

The fix has since been "backported", meaning that it has been added to
versions of OpenSSL prior to 1.0.1g. This is a good thing, and is
commonly done for vulnerabilities, but has the side effect of making it
harder to tell if an app is vulnerable (since you can't tell just by
looking at the OpenSSL version).

To address your specific questions:

SSH is not affected (SSH is a different protocol to TLS)
HTTP is not affected (HTTP is also a different protocol to TLS), meaning
that a HTTP-only server will not be affected.
Note that it's possible to provide HTTPS using other libraries - so
Microsoft IIS Web Servers (which don't use OpenSSL) can provide HTTPS
without being affected.

So in summary:

The only apps/services that are affected are those that use a vulnerable
version of OpenSSL for TLS connections, and have TLS heartbeat support.

Other TLS libraries (like GnuTLS, SChannel, and JSSE) cannot possibly be
affected by this particular bug, because it only exists in specific
versions of the OpenSSL library.

If you are unsure, ask the person/company that wrote the application.

If you are a developer, find out what library your app is using for TLS
connections and test to be certain.
-- 

Bình.

On 4/11/14 11:01 AM, Truong Anh. Tuan wrote:
> 
> ----- Original Message -----
>> From: "Thế Hùng Nguyễn" <thehung at vinades.vn>
>> To: "VFOSSA Members" <members at lists.vfossa.vn>
>> Sent: Friday, April 11, 2014 10:44:28 AM
>> Subject: Re: [VFOSSA]	Fwd: Lỗi bảo mật OpenSSL HeartBleed
>>
>> Các ngân hàng báo đã fix xong hết rùi.
> 
> Cái này còn phải xét!
> Anh nghĩ mấy bố admin NH chỉ làm cho có lấy thành tích thôi.
> 
> Bản chất của lỗi này là bị leak mất private key. Nên 2 năm qua, nếu có
> attacker nào đã chén private key rồi thì coi như nó đã nắm khóa trong tay.
> Các bé có nâng cấp bán vá thì cũng chỉ là để không bị mất key nữa, còn nếu
> không thay khóa thì chúng vẫn dùng khóa cũ mở nhà mình bình thường :D
> Clear??
> 
> Check thử phát cho vui, thấy ngay ACB Online [1] vẫn dùng key cũ, issue
> ngày 04/08/2013 bởi VeriSign (loại Class 3 EV [2], bảo mật "cực cao" :D)
> Dự là ACB sắp kiện VeriSign được đòi tiền bảo hiểm 1.5tr USD vì có SSL rồi
> mà vẫn bị phá khóa :). Trừ khi VeriSign vớ vẩn thế nào lại đã đi gửi thông
> báo cho từng khách hàng về việc phải re-issue lại key mới (mà việc này thì
> mình không tin là một hãng như VeriSign lại không làm - vì iWay còn làm :)
> 
> Kind regards,
> Tuan
> 
> [1] https://www.acbonline.com.vn/
> [2] http://www.symantec.com/verisign/ssl-certificates/secure-site-pro-ev?fid=ssl-certificates
> _______________________________________________
> POST RULES: http://wiki.vfossa.vn/guidelines:mailinglist
> _______________________________________________
> Members mailing list: Members at lists.vfossa.vn
> http://lists.vfossa.vn/mailman/listinfo/members
> VFOSSA website: http://vfossa.vn/