<div dir="ltr"><div>Xem thêm: <br><a href="https://wiki.bitnami.com/security/2014-04_Heartbleed_Bug/Heartbleed_on_Windows">https://wiki.bitnami.com/security/2014-04_Heartbleed_Bug/Heartbleed_on_Windows</a><br></div><div>Kèm theo cách để chống.<br>
</div>nghialt<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Apr 11, 2014 at 5:10 PM, Vu The Binh <span dir="ltr"><<a href="mailto:binh@netnam.vn" target="_blank">binh@netnam.vn</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Anh em tham khảo thêm:<br>
<br>
--<br>
It is hard to say exactly which apps/services are affected. This is<br>
because OpenSSL is a collection of programming code (referred to as a<br>
"library") that can be used to add TLS support to an application or<br>
system. TLS (Transport Layer Security) provides secure connections, and<br>
is best known for being the security layer behind HTTPS websites.<br>
<br>
So if a programmer were writing a program that needed to use TLS to<br>
connect to something, they can use the OpenSSL library to add that<br>
ability to their app.<br>
<br>
The OpenSSL library itself is constantly being improved, like many other<br>
bits of software. During this process, the Heartbleed bug was<br>
accidentally introduced in OpenSSL version 1.0.1, which was released on<br>
14th of March 2012. It remained present through to version 1.0.1f<br>
(inclusive) and was fixed in 1.0.1g, released on 7th of April 2014 .<br>
<br>
This means that any application that uses those OpenSSL versions for TLS<br>
is potentially affected. No doubt the affected developers have fixes in<br>
progress.<br>
<br>
The fix has since been "backported", meaning that it has been added to<br>
versions of OpenSSL prior to 1.0.1g. This is a good thing, and is<br>
commonly done for vulnerabilities, but has the side effect of making it<br>
harder to tell if an app is vulnerable (since you can't tell just by<br>
looking at the OpenSSL version).<br>
<br>
To address your specific questions:<br>
<br>
SSH is not affected (SSH is a different protocol to TLS)<br>
HTTP is not affected (HTTP is also a different protocol to TLS), meaning<br>
that a HTTP-only server will not be affected.<br>
Note that it's possible to provide HTTPS using other libraries - so<br>
Microsoft IIS Web Servers (which don't use OpenSSL) can provide HTTPS<br>
without being affected.<br>
<br>
So in summary:<br>
<br>
The only apps/services that are affected are those that use a vulnerable<br>
version of OpenSSL for TLS connections, and have TLS heartbeat support.<br>
<br>
Other TLS libraries (like GnuTLS, SChannel, and JSSE) cannot possibly be<br>
affected by this particular bug, because it only exists in specific<br>
versions of the OpenSSL library.<br>
<br>
If you are unsure, ask the person/company that wrote the application.<br>
<br>
If you are a developer, find out what library your app is using for TLS<br>
connections and test to be certain.<br>
<span class="HOEnZb"><font color="#888888">--<br>
<br>
Bình.<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
On 4/11/14 11:01 AM, Truong Anh. Tuan wrote:<br>
><br>
> ----- Original Message -----<br>
>> From: "Thế Hùng Nguyễn" <<a href="mailto:thehung@vinades.vn">thehung@vinades.vn</a>><br>
>> To: "VFOSSA Members" <<a href="mailto:members@lists.vfossa.vn">members@lists.vfossa.vn</a>><br>
>> Sent: Friday, April 11, 2014 10:44:28 AM<br>
>> Subject: Re: [VFOSSA] Fwd: Lỗi bảo mật OpenSSL HeartBleed<br>
>><br>
>> Các ngân hàng báo đã fix xong hết rùi.<br>
><br>
> Cái này còn phải xét!<br>
> Anh nghĩ mấy bố admin NH chỉ làm cho có lấy thành tích thôi.<br>
><br>
> Bản chất của lỗi này là bị leak mất private key. Nên 2 năm qua, nếu có<br>
> attacker nào đã chén private key rồi thì coi như nó đã nắm khóa trong tay.<br>
> Các bé có nâng cấp bán vá thì cũng chỉ là để không bị mất key nữa, còn nếu<br>
> không thay khóa thì chúng vẫn dùng khóa cũ mở nhà mình bình thường :D<br>
> Clear??<br>
><br>
> Check thử phát cho vui, thấy ngay ACB Online [1] vẫn dùng key cũ, issue<br>
> ngày 04/08/2013 bởi VeriSign (loại Class 3 EV [2], bảo mật "cực cao" :D)<br>
> Dự là ACB sắp kiện VeriSign được đòi tiền bảo hiểm 1.5tr USD vì có SSL rồi<br>
> mà vẫn bị phá khóa :). Trừ khi VeriSign vớ vẩn thế nào lại đã đi gửi thông<br>
> báo cho từng khách hàng về việc phải re-issue lại key mới (mà việc này thì<br>
> mình không tin là một hãng như VeriSign lại không làm - vì iWay còn làm :)<br>
><br>
> Kind regards,<br>
> Tuan<br>
><br>
> [1] <a href="https://www.acbonline.com.vn/" target="_blank">https://www.acbonline.com.vn/</a><br>
> [2] <a href="http://www.symantec.com/verisign/ssl-certificates/secure-site-pro-ev?fid=ssl-certificates" target="_blank">http://www.symantec.com/verisign/ssl-certificates/secure-site-pro-ev?fid=ssl-certificates</a><br>
> _______________________________________________<br>
> POST RULES: <a href="http://wiki.vfossa.vn/guidelines:mailinglist" target="_blank">http://wiki.vfossa.vn/guidelines:mailinglist</a><br>
> _______________________________________________<br>
> Members mailing list: <a href="mailto:Members@lists.vfossa.vn">Members@lists.vfossa.vn</a><br>
> <a href="http://lists.vfossa.vn/mailman/listinfo/members" target="_blank">http://lists.vfossa.vn/mailman/listinfo/members</a><br>
> VFOSSA website: <a href="http://vfossa.vn/" target="_blank">http://vfossa.vn/</a><br>
_______________________________________________<br>
POST RULES: <a href="http://wiki.vfossa.vn/guidelines:mailinglist" target="_blank">http://wiki.vfossa.vn/guidelines:mailinglist</a><br>
_______________________________________________<br>
Members mailing list: <a href="mailto:Members@lists.vfossa.vn">Members@lists.vfossa.vn</a><br>
<a href="http://lists.vfossa.vn/mailman/listinfo/members" target="_blank">http://lists.vfossa.vn/mailman/listinfo/members</a><br>
VFOSSA website: <a href="http://vfossa.vn/" target="_blank">http://vfossa.vn/</a></div></div></blockquote></div><br></div>