Your SlideShare is downloading. ×
0
The Heartbleed Bug
The Heartbleed Bug
The Heartbleed Bug
The Heartbleed Bug
The Heartbleed Bug
The Heartbleed Bug
The Heartbleed Bug
The Heartbleed Bug
The Heartbleed Bug
The Heartbleed Bug
The Heartbleed Bug
The Heartbleed Bug
The Heartbleed Bug
The Heartbleed Bug
The Heartbleed Bug
The Heartbleed Bug
The Heartbleed Bug
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

The Heartbleed Bug

1,391

Published on

null Bangalore Chapter - June 2014 Meet

null Bangalore Chapter - June 2014 Meet

Published in: Education, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,391
On Slideshare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
68
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. by Sharath Unni HEARTBLEED Bug
  • 2. Contents Introduction to HTTP Why HTTP over SSL? Discovery of heartbleed OpenSSL heartbeat extension What exactly is bleeding? Protecting against heartbleed attacks A quick demo
  • 3. A typical HTTP communication • I would like to open a connection • GET <file location> • Display response • Close connection • OK • Send page or error message • OK Client Server
  • 4. Clear-text protocols When packages of data are sent out over the internet – a lot more can happen than you think!
  • 5. Need for encryption SSL/TLS Provides authentication, confidentiality and integrity. Asymmetric encryption for key exchange (Public and Private keys) Pre-shared secret key between the client and server SHARED secret key – ensures that the message is private even if it is intercepted. OpenSSL - open source implementation of SSL and TLS protocols
  • 6. Discovery of Heartbleed The bug was independently discovered by a team of security engineers (Riku,Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team on April 1, 2014 Massive SSL bug impacts Internet and its users According to Netcraft’s survey about 17.5% of SSL sites had heartbeat extension enabled (half a million) Affected versions - 1.0.1 and 1.0.2-beta including 1.0.1f and 1.0.2- beta1 (since March 2012) Apache and nginx servers typically run OpenSSL implementations
  • 7. SSL heartbeat SSL heartbeats are defined in RFC6520 Similar to Connection Keep-alive in HTTP They can be sent without authenticating with the server A heartbeat is a message that is sent to the server just so the server can send it back.This lets a client know that the server is still connected and listening.
  • 8. OpenSSL HeartBeat
  • 9. Heartbleed (CVE-2014-0160) The vulnerability lies in the implementation of Heartbeat The memory is allocated from the payload + padding which is a user controlled value. (Buffer over-read)
  • 10. OpenSSL heartbeat
  • 11. So what if we can read the memory?
  • 12. Metasploit extract of memory dump
  • 13. Metasploit extract of memory dump
  • 14. Protecting Private keys
  • 15. What can we do about it? Remove the HeartBeat extension Upgrade to OpenSSL 1.0.1g Revocation of the old key pairs Force users to change their passwords User awareness
  • 16. Thank you! @sharath_unni h4xorhead@gmail.com

×