Heartbleed Bug

1

Heartbleed Bug

Nikhil P L

2

What is Heartbleed Bug?

Heartbleed bug is a vulnerability in OpenSSL.

OpenSSL is encryption software that accesses

websites through a “secure” connection,

HTTPS://.

Heartbleed bug requests can be sent WITHOUT

authentication to the server.

3

TCP/IP Layers

The SSL is located between TCP (Transport layer) and HTTP protocols (application layer)

4

SSL Protocols

Handshake ProtocolUsed to facilitate Authentication of server and client

Record Protocolfacilitates the exchange of encrypted messages

Alert ProtocolIf an error is encountered, it is dealt with by the Alert Protocol

5

When happened when?

OpenSSL released March 2012Patch released 21 March 2014

(Some fixes had already been put in place then)Publicly reported as vulnerable 1 April 2014First proven attempted exploit 8 April 2014Intentional vulnerability test 12 April 2014

6

What versions of the OpenSSL are affected?

OpenSSL 0.9.8 branch is NOT vulnerable

OpenSSL 1 .0.0 branch is NOT vulnerable

OpenSSL 1 .0.1 g is NOT vulnerableOpenSSL 1 .0.1 through 1 .0.1 f (inclusive) are vulnerable

7

How may sites are vulnerable?

8

Memory disclosure: what exactly can an attacker get?

Private crypto keys - the keys to the kingdom, or at least the server.Usernames and PasswordsSession identifiersPrivate data – data payloadsMeta data for the SSL session, programming structure pointers - may defeat other exploit protections

9

What should you do?

Change all passwords as soon as you can. Find out which sites are vulnerable

On vulnerable sites that have been patched:Old passwords may be compromised

On sites not yet patched (ask about current status):

New passwords may become compromised, so change them regularly

On sites not affected:Was same password used elsewhere?

10

Which sites are not affected?

Almost all financial service sites are OK.

11

Which are common patched sites?

12

Thanks