https://www.openssl.org/news/secadv_20140407.txt  

OpenSSL Security Advisory [07 Apr 2014] ======================================== TLS heartbeat read overrun (CVE-2014-0160) ========================================== A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.

everyone makes mistakes… the question is: how to deal with our errors? could a test-documentation help there? http://www.dailydot.com/technology/heartbleed-bug-robin-seggelmann/

test your server/browser: https://www.ssllabs.com/

While much of the world was out celebrating the new year of 2012, Robin Seggelmann was writing late-night code that would lead to the worst disaster in recent Internet history.

Heartbleed, a “catastrophic” security flaw in the OpenSSL cryptographic protocol that has affected two-thirds of the entire Internet’s communications, was committed at 10:59 pm on New Year’s Eve by Seggelmann, a 31-year-old Münster, Germany-based programmer.

That night, he made an error that has been compared to the misspelling of Mississippi, a careless but almost inevitable mistake that went undetected for over two years.

Photo source: Linuxtag

“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,“ he told the Sydney Morning Herald. “In one of the new features, unfortunately, I missed validating a variable containing a length.“

The man who reviewed his code, Dr. Stephen Henson, managed to miss the error completely as well.

By exploiting that small mistake, an attacker can steal a big slice of data from a computer’s main memory, which can contain usernames, passwords, and content that can endanger much of the Web’s most private content.

In the wake of Edward Snowden’s revelations of massive NSA Internet surveillance, questions quickly popped up, asking if Seggelmann had done this on purpose in an effort to build a backdoor into one of the Internet’s most important security tools.

Seggelman has denied deliberately inserting the flaw, saying it could „be explained pretty easily.” He does, however, know why it’s “tempting” to see the error as intentional. He calls Heartbleed “a simple programming error” that was “not intended at all”—but that it’s absolutely possible that intelligence agencies like the NSA have made use of the vulnerability since it was introduced.

„It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know the bug until it was released and [I am] not affiliated with any agency,“ Seggelmann said.

A year after writing the catastrophic bug, Seggelmann would finish up his PhD thesis titled “Strategies to Secure End-to-End Communication” at the University of Duisburg-Essen.

admin