Heartbleed – NOOOOOOOO!!!!!

Wow, some big news hit the computer security industry recently.  It turns out when the mostly unused heartbeat feature built into OpenSSL IS used the server returns a packet LARGER than what was sent by the client.  This wouldn’t be such a big deal except the portion that is larger contains a snippet of recently used OpenSSL memory from the server.  So, the word is that the OpenSSL developer’s decided to write their own memory allocation manager instead of using the system allocator and as a result the memory wasn’t completely random or initialized, but instead contained actual recently used UNENCRYPTED data from the OpenSSL application.  It has been proven that it is possible to extract not only user logins, but also the actual certificate from the memory leak that is returned to the client.  This is absolutely CRAZY!!!  I have updated all my servers and am good to go, but the bigger concern is, did anyone else know about it before it was revealed and actually get certificates for bank servers and the like. Without actually knowing, since using this “attack” leaves no trace, the only assumption that can be made is that the certificates HAVE been compromised.  How will the certificate providers ever keep up with all the new certs they will have to create and all the old ones they will have to revoke?  This is going to cost a fortune.  UGH!

OpenSSL_bug1.resized

Leave a Reply