Une semaine après l'annonce de la faille "Heartbleed", les experts en sécurité continuent à découvrir ses conséquences pour la sécurité sur Internet. Ce document recense les scénarios d'attaque et les contre-mesures correspondantes. Il vous aidera à comprendre si vous devez vraiment changer vos mots de passe, pourquoi il ne fallait pas le faire trop tôt, et pourquoi vous devez savoir si votre navigateur détecte les certificats révoqués.
Revocation checking is in the news again because of a large number of revocations resulting from precautionary rotations for servers affected by the OpenSSL heartbeat bug. However, revocation checking is a complex topic and there's a fair amount of misinformation around. In short, it doesn't work and you are no more secure by switching it on. But let's quickly catch up on the background.
Today, we provided more information to our customers around the research we've done into the Heartbleed vulnerability. As our analysis may inform the research efforts of the industry at large, we are providing it here.
Summary: Akamai patched the announced Heartbleed vulnerability prior to its public announcement. We, like all users of OpenSSL, could have exposed passwords or session cookies transiting our network from August 2012 through 4 April 2014. Our custom memory allocator protected against nearly every circumstance by which Heartbleed could have leaked SSL keys. There is one very narrow window through which 4 Akamai server clusters had a vulnerable release for 9 days in March 2013. For the small number of customers potentially affected, we are pro-actively rotating certificates.
Yesterday afternoon, Ars Technica published a story reporting two possible logs of Heartbleed attacks occurring in the wild, months before Monday's public disclosure of the vulnerability. It would be very bad news if these stories were true, indicating that blackhats and/or intelligence agencies may have had a long period when they knew about the attack and could use it at their leisure.
http://arstechnica.com/security/2014/04/heartbleed-vulnerability-may-have-been-exploited-months-before-patch/
Private keys are still not so likely to be exposed, but still much more likely than my original analysis suggested. [...]
Conseils pour les Utilisateurs. Vérifier les sites au préalable : http://filippo.io/Heartbleed/ et autres tips
L nom a de quoi faire paniquer. Heartbleed (pour «coeur qui saigne») est un bug détecté dans la nuit du lundi 7 au mardi 8 avril, qui permettrait d'accéder à une partie des informations stockées sur un grand nombre de serveurs des services sur Internet: sites, mais aussi messageries ou bien encore «dispositifs de mise à jour des smartphones», précise à Slate l'expert réseau Stéphane Bortzmeyer.
En clair donc, «vos identifiants et mots de passe peuvent être compromis, ainsi que vos échanges chiffrés», prévient PCINpact. D'autres médias avancent aussi que les numéros de cartes bancaires utilisées sur les sites d'e-commerce peuvent avoir été subtilisés.
Alors, est-ce le moment de paniquer et de cesser toute sorte d'activité sur Internet?
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
Tester ses serveurs:
http://s3.jspenguin.org/ssltest.py
http://possible.lv/tools/hb/?sp
Lire aussi:
https://www.pcinpact.com/news/86934-openssl-faille-heartbleed-menace-securite-web-sites-ferment.htm
https://www.peereboom.us/assl/assl/html/openssl.html
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
Surveiller ses connexions:
tshark -i eth0 -R "ssl.record.content_type eq 24 and not ssl.heartbeat_message.type"