12
Heartbleed Bug Nikhil P L 1

Heartbleed Bug

Embed Size (px)

Citation preview

Page 1: Heartbleed Bug

1

Heartbleed Bug

Nikhil P L

Page 2: Heartbleed Bug

2

What is Heartbleed Bug?

Heartbleed bug is a vulnerability in OpenSSL.

OpenSSL is encryption software that accesses

websites through a “secure” connection,

HTTPS://.

Heartbleed bug requests can be sent WITHOUT

authentication to the server.

Page 3: Heartbleed Bug

3

TCP/IP Layers

The SSL is located between TCP (Transport layer) and HTTP protocols (application layer)

Page 4: Heartbleed Bug

4

SSL Protocols

Handshake ProtocolUsed to facilitate Authentication of server and client

Record Protocolfacilitates the exchange of encrypted messages

Alert ProtocolIf an error is encountered, it is dealt with by the Alert Protocol

Page 5: Heartbleed Bug

5

When happened when?

OpenSSL released March 2012Patch released 21 March 2014

(Some fixes had already been put in place then)Publicly reported as vulnerable 1 April 2014First proven attempted exploit 8 April 2014Intentional vulnerability test 12 April 2014

Page 6: Heartbleed Bug

6

What versions of the OpenSSL are affected?

OpenSSL 0.9.8 branch is NOT vulnerable

OpenSSL 1 .0.0 branch is NOT vulnerable

OpenSSL 1 .0.1 g is NOT vulnerableOpenSSL 1 .0.1 through 1 .0.1 f (inclusive) are vulnerable

Page 7: Heartbleed Bug

7

How may sites are vulnerable?

Page 8: Heartbleed Bug

8

Memory disclosure: what exactly can an attacker get?

Private crypto keys - the keys to the kingdom, or at least the server.Usernames and PasswordsSession identifiersPrivate data – data payloadsMeta data for the SSL session, programming structure pointers - may defeat other exploit protections

Page 9: Heartbleed Bug

9

What should you do?

Change all passwords as soon as you can. Find out which sites are vulnerable

On vulnerable sites that have been patched:Old passwords may be compromised

On sites not yet patched (ask about current status):

New passwords may become compromised, so change them regularly

On sites not affected:Was same password used elsewhere?

Page 10: Heartbleed Bug

10

Which sites are not affected?

Almost all financial service sites are OK.

Page 11: Heartbleed Bug

11

Which are common patched sites?

Page 12: Heartbleed Bug

12

Thanks