[VFOSSA] Fwd: Lỗi bảo mật OpenSSL HeartBleed

Fri Apr 11 19:30:14 ICT 2014

Xem thêm:
https://wiki.bitnami.com/security/2014-04_Heartbleed_Bug/Heartbleed_on_Windows
Kèm theo cách để chống.
nghialt

On Fri, Apr 11, 2014 at 5:10 PM, Vu The Binh <binh at netnam.vn> wrote:

> Anh em tham khảo thêm:
>
> --
> It is hard to say exactly which apps/services are affected. This is
> because OpenSSL is a collection of programming code (referred to as a
> "library") that can be used to add TLS support to an application or
> system. TLS (Transport Layer Security) provides secure connections, and
> is best known for being the security layer behind HTTPS websites.
>
> So if a programmer were writing a program that needed to use TLS to
> connect to something, they can use the OpenSSL library to add that
> ability to their app.
>
> The OpenSSL library itself is constantly being improved, like many other
> bits of software. During this process, the Heartbleed bug was
> accidentally introduced in OpenSSL version 1.0.1, which was released on
> 14th of March 2012. It remained present through to version 1.0.1f
> (inclusive) and was fixed in 1.0.1g, released on 7th of April 2014 .
>
> This means that any application that uses those OpenSSL versions for TLS
> is potentially affected. No doubt the affected developers have fixes in
> progress.
>
> The fix has since been "backported", meaning that it has been added to
> versions of OpenSSL prior to 1.0.1g. This is a good thing, and is
> commonly done for vulnerabilities, but has the side effect of making it
> harder to tell if an app is vulnerable (since you can't tell just by
> looking at the OpenSSL version).
>
> To address your specific questions:
>
> SSH is not affected (SSH is a different protocol to TLS)
> HTTP is not affected (HTTP is also a different protocol to TLS), meaning
> that a HTTP-only server will not be affected.
> Note that it's possible to provide HTTPS using other libraries - so
> Microsoft IIS Web Servers (which don't use OpenSSL) can provide HTTPS
> without being affected.
>
> So in summary:
>
> The only apps/services that are affected are those that use a vulnerable
> version of OpenSSL for TLS connections, and have TLS heartbeat support.
>
> Other TLS libraries (like GnuTLS, SChannel, and JSSE) cannot possibly be
> affected by this particular bug, because it only exists in specific
> versions of the OpenSSL library.
>
> If you are unsure, ask the person/company that wrote the application.
>
> If you are a developer, find out what library your app is using for TLS
> connections and test to be certain.
> --
>
> Bình.
>
> On 4/11/14 11:01 AM, Truong Anh. Tuan wrote:
> >
> > ----- Original Message -----
> >> From: "Thế Hùng Nguyễn" <thehung at vinades.vn>
> >> To: "VFOSSA Members" <members at lists.vfossa.vn>
> >> Sent: Friday, April 11, 2014 10:44:28 AM
> >> Subject: Re: [VFOSSA]        Fwd: Lỗi bảo mật OpenSSL HeartBleed
> >>
> >> Các ngân hàng báo đã fix xong hết rùi.
> >
> > Cái này còn phải xét!
> > Anh nghĩ mấy bố admin NH chỉ làm cho có lấy thành tích thôi.
> >
> > Bản chất của lỗi này là bị leak mất private key. Nên 2 năm qua, nếu có
> > attacker nào đã chén private key rồi thì coi như nó đã nắm khóa trong
> tay.
> > Các bé có nâng cấp bán vá thì cũng chỉ là để không bị mất key nữa, còn
> nếu
> > không thay khóa thì chúng vẫn dùng khóa cũ mở nhà mình bình thường :D
> > Clear??
> >
> > Check thử phát cho vui, thấy ngay ACB Online [1] vẫn dùng key cũ, issue
> > ngày 04/08/2013 bởi VeriSign (loại Class 3 EV [2], bảo mật "cực cao" :D)
> > Dự là ACB sắp kiện VeriSign được đòi tiền bảo hiểm 1.5tr USD vì có SSL
> rồi
> > mà vẫn bị phá khóa :). Trừ khi VeriSign vớ vẩn thế nào lại đã đi gửi
> thông
> > báo cho từng khách hàng về việc phải re-issue lại key mới (mà việc này
> thì
> > mình không tin là một hãng như VeriSign lại không làm - vì iWay còn làm
> :)
> >
> > Kind regards,
> > Tuan
> >
> > [1] https://www.acbonline.com.vn/
> > [2]
> http://www.symantec.com/verisign/ssl-certificates/secure-site-pro-ev?fid=ssl-certificates
> > _______________________________________________
> > POST RULES: http://wiki.vfossa.vn/guidelines:mailinglist
> > _______________________________________________
> > Members mailing list: Members at lists.vfossa.vn
> > http://lists.vfossa.vn/mailman/listinfo/members
> > VFOSSA website: http://vfossa.vn/
> _______________________________________________
> POST RULES: http://wiki.vfossa.vn/guidelines:mailinglist
> _______________________________________________
> Members mailing list: Members at lists.vfossa.vn
> http://lists.vfossa.vn/mailman/listinfo/members
> VFOSSA website: http://vfossa.vn/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.vfossa.vn/pipermail/members/attachments/20140411/3221ec79/attachment.html 