Tag: OpenSSL

Testing Heartbleed from the client-side perspective

Date of publication: 18/04/2014, CERT Polska

heartbleed-iconIn the last week or so infosec headlines were dominated by reports in the OpenSSL vulnerability (CVE-2014-0160). We blogged on what the situation looked like in regard to Polish services and address space (and TOR as well). It is worth noting however that the OpenSSL library is used not only in the server software. It is also very common element of the client software. What does that mean? If a client software that is using a vulnerable version of OpenSSL connects to a crafted malicious server, the server can ‘download’ a portion of data from client memory. This portion may contain data on which software operates, i.e. password for a database or configuration.
Read more

Heartbleed in TOR (and in Poland)

Date of publication: 11/04/2014, CERT Polska

heartbleed-iconIn the last few days the most popular vulnerability seems to be CVE-2014-0160. This two years old vulnerability was in OpenSSL library, versions 1.0.1a-f, and allows to read a part of the memory of the process. The use of this library is very prevalent not only in the server environments (e.g. WWW, or mail), but also on desktops in some client applications. However, the most popular browsers are not affected in any way. We publish our analysis of this CVE and its effect on TOR and Polish network. Information on the Electronic Frontier Foundation Deeplinks blog allows to speculate that the intelligence agencies knew about the bug a year ago and actually used it.

Read more