[VFOSSA] Fwd: Lỗi bảo mật OpenSSL HeartBleed

Vu The Binh binh at netnam.vn
Sun Apr 13 17:06:52 ICT 2014 

Hi a. Nghĩa,

Tức là nếu máy chủ Windows và dùng Apache + OpenSSL thì có nguy cơ bị
dính. Còn nếu dùng IIS thì không?

Cheers, Bình.

On 4/11/14 7:30 PM, Nghĩa Lê Trung wrote:
> Xem thêm:
> https://wiki.bitnami.com/security/2014-04_Heartbleed_Bug/Heartbleed_on_Windows
> Kèm theo cách để chống.
> nghialt
> 
> 
> On Fri, Apr 11, 2014 at 5:10 PM, Vu The Binh <binh at netnam.vn
> <mailto:binh at netnam.vn>> wrote:
> 
>     Anh em tham khảo thêm:
> 
>     --
>     It is hard to say exactly which apps/services are affected. This is
>     because OpenSSL is a collection of programming code (referred to as a
>     "library") that can be used to add TLS support to an application or
>     system. TLS (Transport Layer Security) provides secure connections, and
>     is best known for being the security layer behind HTTPS websites.
> 
>     So if a programmer were writing a program that needed to use TLS to
>     connect to something, they can use the OpenSSL library to add that
>     ability to their app.
> 
>     The OpenSSL library itself is constantly being improved, like many other
>     bits of software. During this process, the Heartbleed bug was
>     accidentally introduced in OpenSSL version 1.0.1, which was released on
>     14th of March 2012. It remained present through to version 1.0.1f
>     (inclusive) and was fixed in 1.0.1g, released on 7th of April 2014 .
> 
>     This means that any application that uses those OpenSSL versions for TLS
>     is potentially affected. No doubt the affected developers have fixes in
>     progress.
> 
>     The fix has since been "backported", meaning that it has been added to
>     versions of OpenSSL prior to 1.0.1g. This is a good thing, and is
>     commonly done for vulnerabilities, but has the side effect of making it
>     harder to tell if an app is vulnerable (since you can't tell just by
>     looking at the OpenSSL version).
> 
>     To address your specific questions:
> 
>     SSH is not affected (SSH is a different protocol to TLS)
>     HTTP is not affected (HTTP is also a different protocol to TLS), meaning
>     that a HTTP-only server will not be affected.
>     Note that it's possible to provide HTTPS using other libraries - so
>     Microsoft IIS Web Servers (which don't use OpenSSL) can provide HTTPS
>     without being affected.
> 
>     So in summary:
> 
>     The only apps/services that are affected are those that use a vulnerable
>     version of OpenSSL for TLS connections, and have TLS heartbeat support.
> 
>     Other TLS libraries (like GnuTLS, SChannel, and JSSE) cannot possibly be
>     affected by this particular bug, because it only exists in specific
>     versions of the OpenSSL library.
> 
>     If you are unsure, ask the person/company that wrote the application.
> 
>     If you are a developer, find out what library your app is using for TLS
>     connections and test to be certain.
>     --
> 
>     Bình.
> 
>     On 4/11/14 11:01 AM, Truong Anh. Tuan wrote:
>     >
>     > ----- Original Message -----
>     >> From: "Thế Hùng Nguyễn" <thehung at vinades.vn
>     <mailto:thehung at vinades.vn>>
>     >> To: "VFOSSA Members" <members at lists.vfossa.vn
>     <mailto:members at lists.vfossa.vn>>
>     >> Sent: Friday, April 11, 2014 10:44:28 AM
>     >> Subject: Re: [VFOSSA]        Fwd: Lỗi bảo mật OpenSSL HeartBleed
>     >>
>     >> Các ngân hàng báo đã fix xong hết rùi.
>     >
>     > Cái này còn phải xét!
>     > Anh nghĩ mấy bố admin NH chỉ làm cho có lấy thành tích thôi.
>     >
>     > Bản chất của lỗi này là bị leak mất private key. Nên 2 năm qua, nếu có
>     > attacker nào đã chén private key rồi thì coi như nó đã nắm khóa
>     trong tay.
>     > Các bé có nâng cấp bán vá thì cũng chỉ là để không bị mất key nữa,
>     còn nếu
>     > không thay khóa thì chúng vẫn dùng khóa cũ mở nhà mình bình thường :D
>     > Clear??
>     >
>     > Check thử phát cho vui, thấy ngay ACB Online [1] vẫn dùng key cũ,
>     issue
>     > ngày 04/08/2013 bởi VeriSign (loại Class 3 EV [2], bảo mật "cực
>     cao" :D)
>     > Dự là ACB sắp kiện VeriSign được đòi tiền bảo hiểm 1.5tr USD vì có
>     SSL rồi
>     > mà vẫn bị phá khóa :). Trừ khi VeriSign vớ vẩn thế nào lại đã đi
>     gửi thông
>     > báo cho từng khách hàng về việc phải re-issue lại key mới (mà việc
>     này thì
>     > mình không tin là một hãng như VeriSign lại không làm - vì iWay
>     còn làm :)
>     >
>     > Kind regards,
>     > Tuan
>     >
>     > [1] https://www.acbonline.com.vn/
>     > [2]
>     http://www.symantec.com/verisign/ssl-certificates/secure-site-pro-ev?fid=ssl-certificates
>     > _______________________________________________
>     > POST RULES: http://wiki.vfossa.vn/guidelines:mailinglist
>     > _______________________________________________
>     > Members mailing list: Members at lists.vfossa.vn
>     <mailto:Members at lists.vfossa.vn>
>     > http://lists.vfossa.vn/mailman/listinfo/members
>     > VFOSSA website: http://vfossa.vn/
>     _______________________________________________
>     POST RULES: http://wiki.vfossa.vn/guidelines:mailinglist
>     _______________________________________________
>     Members mailing list: Members at lists.vfossa.vn
>     <mailto:Members at lists.vfossa.vn>
>     http://lists.vfossa.vn/mailman/listinfo/members
>     VFOSSA website: http://vfossa.vn/

More information about the Members mailing list