The Heartbleed Bug
-
I guess just about all of us have now heard about the heartbleed bug[^]. From the rather massive media coverage it appears that this can be exploited in ways that allows an attacker to potentially retrieve logon information such as user names and passwords. If this is possible, it also means that the actual password, and not a cryptographic digest, has been sendt to the server - and that the actual real password is kept in memory, and that it is either stored locally by the server, or the server can retrieve the password from another server on the network, or farward it to another server for authentication. Even if there was no heartbleed bug, this sounds like a f***up on a much grander scale than the heartbleed bug, because it makes it likely that a lot of people believe they have implemented strong security, while actually implementing something that is quite vulnerable. Thoughts anybody? or jokes (if you can come up with good ones) [Update] Just to be clear: I think we should allways use transport level security, and even then we should never send the password in a form that can be easily reconstructed.
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
-
I guess just about all of us have now heard about the heartbleed bug[^]. From the rather massive media coverage it appears that this can be exploited in ways that allows an attacker to potentially retrieve logon information such as user names and passwords. If this is possible, it also means that the actual password, and not a cryptographic digest, has been sendt to the server - and that the actual real password is kept in memory, and that it is either stored locally by the server, or the server can retrieve the password from another server on the network, or farward it to another server for authentication. Even if there was no heartbleed bug, this sounds like a f***up on a much grander scale than the heartbleed bug, because it makes it likely that a lot of people believe they have implemented strong security, while actually implementing something that is quite vulnerable. Thoughts anybody? or jokes (if you can come up with good ones) [Update] Just to be clear: I think we should allways use transport level security, and even then we should never send the password in a form that can be easily reconstructed.
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
Espen Harlinn wrote:
Thoughts anybody? or jokes
Covering all bases here.
Wrong is evil and must be defeated. - Jeff Ello[^]
-
I guess just about all of us have now heard about the heartbleed bug[^]. From the rather massive media coverage it appears that this can be exploited in ways that allows an attacker to potentially retrieve logon information such as user names and passwords. If this is possible, it also means that the actual password, and not a cryptographic digest, has been sendt to the server - and that the actual real password is kept in memory, and that it is either stored locally by the server, or the server can retrieve the password from another server on the network, or farward it to another server for authentication. Even if there was no heartbleed bug, this sounds like a f***up on a much grander scale than the heartbleed bug, because it makes it likely that a lot of people believe they have implemented strong security, while actually implementing something that is quite vulnerable. Thoughts anybody? or jokes (if you can come up with good ones) [Update] Just to be clear: I think we should allways use transport level security, and even then we should never send the password in a form that can be easily reconstructed.
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
Go to QA, and you will see that the "next generation" of developers not only store clear text passwords, but that they access them by concatenating strings:
string sql = "SELECT * FROM Users WHERE UserId='" + tbUser.Text + "' AND Password='" + tbPassword.Text+"'";
So not only is the site vulnerable to Heartbleed, but SQL Injection and password bypass. So if I type:
Chris Maunder';--
in the Username textbox, I could log in as the Admins...(Needless to say, that won't work here on CP!) Worse, if you pick them up on it they give the keyboard equivalent of a shrug and ignore you... :sigh:
Those who fail to learn history are doomed to repeat it. --- George Santayana (December 16, 1863 – September 26, 1952) Those who fail to clear history are doomed to explain it. --- OriginalGriff (February 24, 1959 – ∞)
-
Go to QA, and you will see that the "next generation" of developers not only store clear text passwords, but that they access them by concatenating strings:
string sql = "SELECT * FROM Users WHERE UserId='" + tbUser.Text + "' AND Password='" + tbPassword.Text+"'";
So not only is the site vulnerable to Heartbleed, but SQL Injection and password bypass. So if I type:
Chris Maunder';--
in the Username textbox, I could log in as the Admins...(Needless to say, that won't work here on CP!) Worse, if you pick them up on it they give the keyboard equivalent of a shrug and ignore you... :sigh:
Those who fail to learn history are doomed to repeat it. --- George Santayana (December 16, 1863 – September 26, 1952) Those who fail to clear history are doomed to explain it. --- OriginalGriff (February 24, 1959 – ∞)
-
To you and I (and the majority of Lounge inhabitants) they are "copy'n'paste" merchants. To themselves, and their lecturers - and worse, their bosses - they are developers par excellence! :doh:
Those who fail to learn history are doomed to repeat it. --- George Santayana (December 16, 1863 – September 26, 1952) Those who fail to clear history are doomed to explain it. --- OriginalGriff (February 24, 1959 – ∞)
-
I guess just about all of us have now heard about the heartbleed bug[^]. From the rather massive media coverage it appears that this can be exploited in ways that allows an attacker to potentially retrieve logon information such as user names and passwords. If this is possible, it also means that the actual password, and not a cryptographic digest, has been sendt to the server - and that the actual real password is kept in memory, and that it is either stored locally by the server, or the server can retrieve the password from another server on the network, or farward it to another server for authentication. Even if there was no heartbleed bug, this sounds like a f***up on a much grander scale than the heartbleed bug, because it makes it likely that a lot of people believe they have implemented strong security, while actually implementing something that is quite vulnerable. Thoughts anybody? or jokes (if you can come up with good ones) [Update] Just to be clear: I think we should allways use transport level security, and even then we should never send the password in a form that can be easily reconstructed.
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
Espen Harlinn wrote:
If this is possible, it also means that the actual password, and not a cryptographic digest, has been sendt to the server
The way I read it is that the key pair can be read and thus the pwd decrypted. So the pwd is stored in an encrypted form so it doesn't look as bad as you think. At least that's my take, but I don't know jack about security stuff. :)
"The whole idea that carbon dioxide is the main cause of the recent global warming is based on a guess that was proved false by empirical evidence during the 1990s." climate-models-go-cold
-
I guess just about all of us have now heard about the heartbleed bug[^]. From the rather massive media coverage it appears that this can be exploited in ways that allows an attacker to potentially retrieve logon information such as user names and passwords. If this is possible, it also means that the actual password, and not a cryptographic digest, has been sendt to the server - and that the actual real password is kept in memory, and that it is either stored locally by the server, or the server can retrieve the password from another server on the network, or farward it to another server for authentication. Even if there was no heartbleed bug, this sounds like a f***up on a much grander scale than the heartbleed bug, because it makes it likely that a lot of people believe they have implemented strong security, while actually implementing something that is quite vulnerable. Thoughts anybody? or jokes (if you can come up with good ones) [Update] Just to be clear: I think we should allways use transport level security, and even then we should never send the password in a form that can be easily reconstructed.
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
-
To you and I (and the majority of Lounge inhabitants) they are "copy'n'paste" merchants. To themselves, and their lecturers - and worse, their bosses - they are developers par excellence! :doh:
Those who fail to learn history are doomed to repeat it. --- George Santayana (December 16, 1863 – September 26, 1952) Those who fail to clear history are doomed to explain it. --- OriginalGriff (February 24, 1959 – ∞)
-
Espen Harlinn wrote:
Thoughts anybody? or jokes
Covering all bases here.
Wrong is evil and must be defeated. - Jeff Ello[^]
:laugh: Nearly as good as littel bobby tables[^]
Jörgen Andersson wrote:
Covering all bases here
Thanks :thumbsup:
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
-
Go to QA, and you will see that the "next generation" of developers not only store clear text passwords, but that they access them by concatenating strings:
string sql = "SELECT * FROM Users WHERE UserId='" + tbUser.Text + "' AND Password='" + tbPassword.Text+"'";
So not only is the site vulnerable to Heartbleed, but SQL Injection and password bypass. So if I type:
Chris Maunder';--
in the Username textbox, I could log in as the Admins...(Needless to say, that won't work here on CP!) Worse, if you pick them up on it they give the keyboard equivalent of a shrug and ignore you... :sigh:
Those who fail to learn history are doomed to repeat it. --- George Santayana (December 16, 1863 – September 26, 1952) Those who fail to clear history are doomed to explain it. --- OriginalGriff (February 24, 1959 – ∞)
OriginalGriff wrote:
Worse, if you pick them up on it they give the keyboard equivalent of a shrug and ignore you...
I know - and they'll continue to get paid for it ... it's like 2013 never happened[^]
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
-
Espen Harlinn wrote:
If this is possible, it also means that the actual password, and not a cryptographic digest, has been sendt to the server
The way I read it is that the key pair can be read and thus the pwd decrypted. So the pwd is stored in an encrypted form so it doesn't look as bad as you think. At least that's my take, but I don't know jack about security stuff. :)
"The whole idea that carbon dioxide is the main cause of the recent global warming is based on a guess that was proved false by empirical evidence during the 1990s." climate-models-go-cold
Munchies_Matt wrote:
so it doesn't look as bad as you think
Errhm ... hearbleed lets you read memory from the server:When it is exploited it leads to the leak of memory contents from the server There shouldn't be any passwords to read from the memory on the server - only the cryptographic digest, which, on it's own should be worthless ...
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
-
Munchies_Matt wrote:
so it doesn't look as bad as you think
Errhm ... hearbleed lets you read memory from the server:When it is exploited it leads to the leak of memory contents from the server There shouldn't be any passwords to read from the memory on the server - only the cryptographic digest, which, on it's own should be worthless ...
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
-
To you and I (and the majority of Lounge inhabitants) they are "copy'n'paste" merchants. To themselves, and their lecturers - and worse, their bosses - they are developers par excellence! :doh:
Those who fail to learn history are doomed to repeat it. --- George Santayana (December 16, 1863 – September 26, 1952) Those who fail to clear history are doomed to explain it. --- OriginalGriff (February 24, 1959 – ∞)
OriginalGriff wrote:
developers par excellence!
Unfortunately, all too true. I know of at least 2 members that have been here for multiples years. One such person has gotten his entire application written by copying and pasting code around in questions getting people to write and rewrite his code for him. Even more sadly, this person cannot write code, cannot debug his code or anything else (by his own admission BTW), but for some strange reason, thinks he is qualified to teach students how to program! WTE? I have said it before and I will say it again, Griff my old friend, you Sir could probably teach Job a thing or two. I don't know how you do it. But my hat is off to you!
-
I have had LinkedIn account for some time. I don't care too much about security issues anymore.
I guess you tried for a joke - and being perhaps a bit slow tonight, I'm having a bit of a struggle ... :sigh:
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
-
I guess just about all of us have now heard about the heartbleed bug[^]. From the rather massive media coverage it appears that this can be exploited in ways that allows an attacker to potentially retrieve logon information such as user names and passwords. If this is possible, it also means that the actual password, and not a cryptographic digest, has been sendt to the server - and that the actual real password is kept in memory, and that it is either stored locally by the server, or the server can retrieve the password from another server on the network, or farward it to another server for authentication. Even if there was no heartbleed bug, this sounds like a f***up on a much grander scale than the heartbleed bug, because it makes it likely that a lot of people believe they have implemented strong security, while actually implementing something that is quite vulnerable. Thoughts anybody? or jokes (if you can come up with good ones) [Update] Just to be clear: I think we should allways use transport level security, and even then we should never send the password in a form that can be easily reconstructed.
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
The issue is that it is in the SSL protocol which is usually safe. Because of that passwords are not typically hashed in javascript on the client, but the hash is generated on the server. That's why the servers might have passwords in memory. The bigger issue is that someone might have gotten the server's private key and been able to decrypt all the traffic to the server.
Curvature of the Mind now with 3D
-
Munchies_Matt wrote:
so it doesn't look as bad as you think
Errhm ... hearbleed lets you read memory from the server:When it is exploited it leads to the leak of memory contents from the server There shouldn't be any passwords to read from the memory on the server - only the cryptographic digest, which, on it's own should be worthless ...
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
Your link says as much "This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet" It doesnt say stealing passwords, it says stealing the encryption keys, and thus decrypting the traffic and thus effecting a 'man in the middle' attack.
Espen Harlinn wrote:
which, on it's own should be worthless
See 'man in the middle' attacks.
"The whole idea that carbon dioxide is the main cause of the recent global warming is based on a guess that was proved false by empirical evidence during the 1990s." climate-models-go-cold
-
Munchies_Matt wrote:
so it doesn't look as bad as you think
Errhm ... hearbleed lets you read memory from the server:When it is exploited it leads to the leak of memory contents from the server There shouldn't be any passwords to read from the memory on the server - only the cryptographic digest, which, on it's own should be worthless ...
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
Espen Harlinn wrote:
There shouldn't be any passwords to read from the memory on the server - only the cryptographic digest, which, on it's own should be worthless ...
Hashed passwords (even salted) can be cracked much faster than you think in may cases because people are bad at generating randomness. As such by going through likely passwords it is possible to crack thousands of passwords in a few hours.
-
Go to QA, and you will see that the "next generation" of developers not only store clear text passwords, but that they access them by concatenating strings:
string sql = "SELECT * FROM Users WHERE UserId='" + tbUser.Text + "' AND Password='" + tbPassword.Text+"'";
So not only is the site vulnerable to Heartbleed, but SQL Injection and password bypass. So if I type:
Chris Maunder';--
in the Username textbox, I could log in as the Admins...(Needless to say, that won't work here on CP!) Worse, if you pick them up on it they give the keyboard equivalent of a shrug and ignore you... :sigh:
Those who fail to learn history are doomed to repeat it. --- George Santayana (December 16, 1863 – September 26, 1952) Those who fail to clear history are doomed to explain it. --- OriginalGriff (February 24, 1959 – ∞)
-
Munchies_Matt wrote:
so it doesn't look as bad as you think
Errhm ... hearbleed lets you read memory from the server:When it is exploited it leads to the leak of memory contents from the server There shouldn't be any passwords to read from the memory on the server - only the cryptographic digest, which, on it's own should be worthless ...
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
Espen Harlinn wrote:
There shouldn't be any passwords to read from the memory on the server
What happens when someone logs in? The password is sent to the server (over SSL) and so the server may have have it in a variable in memory for a period of time. How long the variable lives depends on the platform and scope (Allocated on the stack? Allocated on a memory managed heap? Static buffer constantly being overwritten?)
cheers Chris Maunder
-
OriginalGriff wrote:
So if I type:
Chris Maunder';--
in the Username textbox,
Uh, 'Griff? Can I have my password back now? Please?
cheers Chris Maunder
Oh... All right... ;)
Those who fail to learn history are doomed to repeat it. --- George Santayana (December 16, 1863 – September 26, 1952) Those who fail to clear history are doomed to explain it. --- OriginalGriff (February 24, 1959 – ∞)
