Heartbleed: For want of one nail, the kingdom is lost

The Heartbleed OpenSSL problem is big news ( http://heartbleed.com if you’ve been under a rock ). What’s wrong?

In short, Heartbeat allows one endpoint to go “I’m sending you some data, echo it back to me”. It supports up to 64 KiB. You send both a length figure and the data itself. Unfortunately, if you use the length figure to claim “I’m sending 64 KiB of data” (for example) and then only actually send, say, one byte, OpenSSL would send you back your one byte — plus 64 KiB minus one byte of other data from RAM.

Whoops!

Matt Nordhoff from, http://security.stackexchange.com/questions/55116/how-exactly-does-the-openssl-tls-heartbeat-heartbleed-exploit-work

So this one, tiny-looking problem brings our entire sand-castle Internet kingdom down. “Secure” web sites turn out aren’t necessarily secure. Worse, they haven’t been secure for some uncertain amount of time. So, anything communicated insecurely, during some uncertain time-frame… is, uh, possibly snooped, stolen, etc. The system admins have to patch the fix in, then redo site certificates, then everything everyone has put to/from those sites, (your login and password for example!) has to all be considered stolen/tainted and has to be reentered.

Bonus: it’s even worse than I’m making it sound: Try this on…

http://security.stackexchange.com/questions/55116/how-exactly-does-the-openssl-tls-heartbeat-heartbleed-exploit-work

http://security.stackexchange.com/questions/55097/can-heartbleed-be-used-to-obtain-memory-from-other-processes

ɕ