Heartbleed One Year Later: Has Anything Changed?

darthcamaro writes: It was on April 7, 2014 that the CVE-2014-0160 vulnerability titled "TLS heartbeat read overrun" in OpenSSL was first publicly disclosed — but to many its a bug known simply as Heartbleed. A new report from certificate vendor Venafi claims that 76% of organizations are still at risk, though it's a statistic that is contested by other vendors as well as other statistics. Qualys' SSL Pulse claims that only 0.3 percent of sites are still at risk. Whatever the risk is today, the bottom line is that Heartbleed did change the security conversation — but did it change it for the better or the worse? A related article explores how Heartbleed could have been found earlier.

I patched my tape library, that changed

[Deon Lasini]

one less vulnerable device

Re:

[laffer1]

You can't just compare the number of vulnerabilities. You have to look at how critical they were. You have to look at what components they were in. For example, does Windows include IE? I'm sure your iOS and OS X numbers include Safari. For Linux, is this just the kernel, a distro or all distros?

Re:

[PixetaledPikachu]

Gentoo Linux had more bugs than IE in 2014, 350 to 289 so not even close.

You're comparing an operating system distro to a browser. You do realize that don't you? For a better comparison try Firefox vs IE: 171 vs 289.

In fact as of March this year both Apple and Linux have more bugs than Windows, again by pretty large amounts. For those wanting the figures and don't want to read TFL? OSX is the worst at 147 followed by iOS at 127, Linux at 119, and Windows, which the Linux faithful are always screaming is "full of bugs"? A grand total of...38. [betanews.com]

RHEL from 2002 to Q1: 2015: 286 [cvedetails.com], Ubuntu latest LTS: 66 [cvedetails.com], Debian: 214 [cvedetails.com]. Compare those to Windows 2008 from 2007-2015: 524 [cvedetails.com], or Windows 2012 from 2012 to Q1 2015: 133 [cvedetails.com], and of course Windows 8.1: 82 [cvedetails.com]

Re:

[Eunuchswear]

The other major change is that security sites are starting to actually TEST Linux

What does heartblead have to do with Linux? This bug was present on all platforms that had OpenSSL.

For example:

Microsoft Windows
MacOS
BSD Unix
Linux
VMS ....

We really should rethink web encryption.

[jellomizer]

I am not a full time systems administrator, but I have setup ssl sights before. And if you don't do it all the time or at least one every 6 months. The process is cumbersome and difficult.
We have the cert agency otherwise the popular web browsers we'll create alerts stating how much of a horable institution you are for not shilling out cash for a key.
Then IIS vs Apache vs other browsers have different rules to setup and sometimes it just doest work when you follow the instructions.

It is a process that sho

Re:We really should rethink web encryption.

[Anonymous Coward]

then you send the cert company your key made during the install process

Fail.

Re:

[Anubis IV]

If you trust them to issue you a non-compromised certificate now, you should be able to trust them enough to protect your self-generated cert for a DNS-like verification and lookup system.

It's not an improvement, but it's really no worse than what we already have.

The OP for this topic, with whom you seem to be siding, was suggesting providing the CA with his private keys, and there's a massive difference between asking someone to verify your identity on a one-time basis and trusting someone to protect your identity in perpetuity. Going off of some of what was said by you and the OP...

A) I don't need to "trust them to issue [me] a non-compromised certificate", because that's not how compromised certificates work. When a CA issues you a cert, the first thing you do is

Best-practice ciphers

[emil]

In addtion to sending the CSR, and not the key, scan your SSL server with the SSL Labs Scanner [ssllabs.com] and you will see many flaws.

To fix these flaws, apply these cipher best practices [hynek.me] to lock out bad ciphers (RC4, export-grade ciphers), and deny the entire SSLv3 protocol which now has critical design flaws.

The key to the best-practice ciphers are these Apache directives (this configuration is also effective on the older 0.9.8 OpenSSL):

SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES25

Re:

[jeremyp]

Only if it is the private key.

Re:We really should rethink web encryption.

[ledow]

If SSL'ing a site is more than a 10 minute process for you (not including the time to return the cert from the CA after you've sent them the CSR), including anything more than a single restart of the web service (and that doesn't even need to be a full restart with Apache, etc.) then I worry about how you go about it.

SSL sites with existing keys - upgrading the key, or changing the order of allowed cryptography, etc. - that's literally a one-line change (to point to new certificate file, or change the configuration line) and a restart. If the site is visibly down for more than a second or two, I'll be disappointed.

And in terms of CA's, just use the proper ones. If you have need of SSL, then you can spend the annual renewal on a decent CA. It's part of the running costs of having a web presence. Hell, if you're worried, use two different root CAs and if one gets revoked for whatever reason, you can just switch the config to the other.

It's not difficult.

And, you know what? If you have SSL and need SSL then there's a reason it SHOULDN'T be a brainless operation. Because that's just one part of securing the data being transferred.

I do network admin and I only do SSL once a year or even less when the certificates expire. I'm often at a different employer by the time certificate renewal comes up and have to familiarise myself with software I've never used before and never put SSL certs into before. It's not that difficult a process at all.

And your "solution" is exactly what happens already. The reason you get SSL errors if you just enable SSL is because the default cert isn't signed or is only local but it's (usually) there. To get it signed you make a CSR, upload it to your CA, and they send you back a certificate that you plug into. And then the browser decides the quality of that cert and trust chain.

Sorry, mate, but if this is too difficult for you, you shouldn't BE setting up SSL sites. It sounds like you're doing it just to shut user's browsers up when they whinge. That's the EASY part of the process of making sure you're securely handling whatever data they are sending your way.

Re:

[Anonymous Coward]

While upgrading a cert might be easy if you have direct access to the server, many shared hosting providers provide extremely bulky and cumbersome interfaces for managing SSL.

I don't know how many times I've had to help customers using ancient shared hosting solutions to upgrade SSL certs, and having to plan at least 30 minutes of downtime for the service at hand simply because the CRON the host uses to reload the Apache config only runs every 30 minutes.

To get back OT: Yes, Heartbleed has changed the way p

Re:

[nine-times]

If SSL'ing a site is more than a 10 minute process for you... then I worry about how you go about it.

I think his point was that, if you know what you're doing and you do these sorts of things regularly, yes, it's pretty simple and quick. However, if you're not used to the process because you're not doing it frequently, it becomes more cumbersome and frustrating. For example, on Windows, the process has changed a bit over the years-- not the process of issuing the key, of course, but exactly where do you go in Windows to go through the whole process? What does that process look like? If you want to use

Re:

[radarskiy]

"Sorry, mate, but if this is too difficult for you, you shouldn't BE setting up SSL sites."

It is in our interest that everyone else have secure setups. We have no means of stopping people from setting up SSL so we might as well help them do it right.

Re:

[Anonymous Coward]

Forgive me, but I'm not sure I trust someones opinion who works on ssl "sights".

Re:

[oodaloop]

FYI, not everyone who speaks English speaks it as a first language.

Re:

[wonkey_monkey]

Forgive me, but I'm not sure I trust the opinion of someone who doesn't know how to use apostrophes and doesn't capitalise initialisms.

Re:

[Zero__Kelvin]

"Fewer software makers are willing to embed open source software due to the high risk of including wide open security holes in their products."

Well that certainly explains the vast majority of commercial embedded systems run Linux, then, doesn't it?

"Aside from the reduced security risks, commercial libraries often come with legal indemnification clauses, which bring extra business value."

Are you trolling, or just a moron? Point me to one software product that doesn't leave the onus on the developer. Just

Re:

[RabidReindeer]

People love cheap shit, until it breaks, then they look for someone to blame.

People love cheap shit, until it breaks, then they look for someone other than themselves to blame.

FTFY

Re:

[Chris Mattern]

Lame comebacks don't change the fact the OP's claim is not just blatantly false, it is ridiculously false.

Re:

[Anonymous Coward]

Aside from the reduced security risks, commercial libraries often come with legal indemnification clauses, which bring extra business value.

ROFLMAO You sir/madame are a fool by any other name. Legal indemnification clauses are in the commercial software and open source and free/libre software alike. They all say use at your own risk and you will not hold the developer / company / organisation liable for any losses or damages arising from use of said software. Otherwise Microsoft Corporation would have been bankrupt decades ago.

Re:

[mwvdlee]

commercial libraries often come with legal indemnification clauses, which bring extra business value.

I know of NO software, whether it be libraries or applications, open source or closed source, that don't have a legal disclaimer in their license.

The Little Logo That Could

[TheRealHocusLocus]

Heartbleed was The Little Logo That Could [wikipedia.org]. Like the peace sign of the 60s, the happy face of the 70s. It broke a decades-long trend of overzealous graphic design to portray security vulnerabilities.

For years! Over-matted and often disingenuously constructed stock photo montages of so-called 'security', 'hacker' or 'cybercrime' objects on highly saturated over-stylized texture backgrounds. You know what I mean: the kind of schlock that looks great on the screen but it is a design train wreck if you attempt t

Re:The Little Logo That Could

[Trepidity]

The Heartbleed logo is the first logo designed in almost 50 years that has no need for a drop shadow.

Are drop shadows really that popular in logos? The trend as I see it seems to be towards "flat" designs, both in logos and other areas like UIs (e.g. recent versions of iOS and OSX have dropped the pseudo-3d elements and specular highlights). When I think of a typical modern corporate logo I think of something like the new (2001) BP logo [wikimedia.org], which is entirely flat.

Re:

[wonkey_monkey]

The Heartbleed logo is the first logo designed in almost 50 years that has no need for a drop shadow.

http://google.com/ [google.com]
http://www.bbc.co.uk/ [bbc.co.uk]

The buzz was needed

[zoefff]

I think the awareness it created by doing an incorrect disclosure and the frantic reactions that followed, made it possible that many sites were patched, that otherwise were not patched at all, and certificates renewed, that otherwise would stay the same due to laziness of the maintainers.

The legitimate question is of course if that outweighs having the whole world open to this vulnerability for a short amount of time. (On the other hand, they were open anyway).

MARKETING BULLSHIT

[Anonymous Coward]

Heartbleed was patched before microsoft tried to portray linux as an insecure os. The microsoft os is more insecure and more dangerous to the average person than linux ever will be. Microsoft should be in jail for this alone. How many other pieces of shit from the microsoft employment line do we have to put up with and yes if you work for microsoft you are a piece of shit. fuck you.

Heartblead could have been found earlier.

[Eunuchswear]

Heartblead could have been found earlier if the person writing the code for the heartbeat option had read the RFC describing the heartbeat option.

The RFC explicitly described the error case that resulted in the heartblead bug and said that the implementation SHOULD check for it.

This all gets wierder when you realise that the person who wrote the code was the same person who wrote the RFC.

Codenomicon and Heartbleed ..

[DougPaulson]

Google discovered the vulnerability on March 21 and communicated it to Codenomicon and the OpenSSL Project. Codenomicon disclosed it to the public before it was patched. On April 07 the OpenSSL Project released a patch.

Heartbleed - how it could have been found

[dwheeler]

My article How to Prevent the next Heartbleed [dwheeler.com] lists in detail different ways that Heartbleed could have been found ahead-of-time. The point isn't to find it now, it's to learn from Heartbleed so we prevent a recurrence. There are many ways to detect vulnerabilities like this ahead of time... we need to start using some of them.