2. What is Heartbleed Bug?
Heartbleed bug is a vulnerability in OpenSSL.
OpenSSL is encryption software that accesses
websites through a “secure” connection,
HTTPS://.
Heartbleed bug requests can be sent WITHOUT
authentication to the server.
2
3. TCP/IP Layers
The SSL is located between TCP (Transport layer) and HTTP protocols (application layer)
3
4. SSL Protocols
Handshake Protocol
Used to facilitate Authentication of server and
client
Record Protocol
facilitates the exchange of encrypted messages
Alert Protocol
If an error is encountered, it is dealt with by the
Alert Protocol
4
5. When happened when?
OpenSSL released March 2012
Patch released 21 March 2014
(Some fixes had already been put in place then)
Publicly reported as vulnerable1 April 2014
First proven attempted exploit 8 April 2014
Intentional vulnerability test 12 April 2014
5
6. What versions of the OpenSSL are
affected?
OpenSSL 0.9.8 branch is NOT vulnerable
OpenSSL 1 .0.0 branch is NOT vulnerable
OpenSSL 1 .0.1 g is NOT vulnerable
OpenSSL 1 .0.1 through 1 .0.1 f (inclusive) are
vulnerable
6
8. Memory disclosure: what exactly
can an attacker get?
Private crypto keys - the keys to the kingdom,
or at least the server.
Usernames and Passwords
Session identifiers
Private data – data payloads
Meta data for the SSL session, programming
structure pointers - may defeat other exploit
protections
8
9. What should you do?
Change all passwords as soon as you can.
Find out which sites are vulnerable
On vulnerable sites that have been patched:
Old passwords may be compromised
On sites not yet patched (ask about current
status):
New passwords may become compromised, so change them
regularly
On sites not affected:
Was same password used elsewhere?
9
10. Which sites are not affected?
Almost all financial service sites are OK.
10