{"id":1482,"date":"2014-04-11T07:39:33","date_gmt":"2014-04-11T07:39:33","guid":{"rendered":"http:\/\/joapen.com\/blog\/?p=1482"},"modified":"2015-08-12T20:47:46","modified_gmt":"2015-08-12T20:47:46","slug":"heartbleed-vulnerability","status":"publish","type":"post","link":"https:\/\/joapen.com\/blog\/2014\/04\/11\/heartbleed-vulnerability\/","title":{"rendered":"HeartBleed vulnerability"},"content":{"rendered":"<p>Some basis I&#8217;ve learned about this issue.<\/p>\n<p><strong>OpenSSL is an open-source implementation of SSL<\/strong>.\u00a0 It is not the only implementation of SSL, and is not even the primary implementation of SSL.\u00a0 Most vendors have their own implementation of SSL and TLS, which is directly related.<\/p>\n<p>OpenSSL is available as an installed package, or as a utility &#8220;toolkit&#8221;.<\/p>\n<p><strong>The heart-bleed vulnerability is due to a programming error<\/strong> introduced in December 2011 and has been present in production releases since February 2012.<\/p>\n<p>Primary places where the full package is used:\u00a0 web servers such as Apache and nginx.<br \/>\nCommon uses for toolkit use: custom &#8211; written applications that use SSL to protect their data such as VPN clients and SSL VPNs.<\/p>\n<p>The estimated number of commercial web sites subject to this vulnerability is huge:\u00a0 500,000 worldwide.<\/p>\n<p><strong>is Windows or Mac affected by this issue?<\/strong>\u00a0 Not inherently &#8211; neither use an open source implementation of SSL or TLS.\u00a0 However the likelihood of any of the sites you use on a regular basis being vulnerable is very high as Apache is very commonly used for commercial web sites.\u00a0 Your best bet is to contact product vendors and watch the security media to understand exactly which of your products are vulnerable.<\/p>\n<p><strong>is my Linux\/Unix vulnerable?<\/strong>\u00a0 Very possibly.\u00a0 OpenSSL is much more common on these systems.<\/p>\n<p><strong>can I know if I&#8217;ve been compromised?<\/strong>\u00a0 In short, no.\u00a0 The vulnerability leaves sensitive data such as private keys, usernames, passwords, and more in memory on the system in a decrypted form where it can be directly read by any program.\u00a0 Testing of the currently published exploits show that they are virtually undetectable.\u00a0 This is a particularly difficult vulnerability as it is difficult to impossible to tell whether a program reading this area in memory is doing it as part of normal operation or as part of the exploit.\u00a0 So typical log monitoring will not identify a compromise in this instance.<\/p>\n<p><strong>Is a fix available?<\/strong>\u00a0 are all version affected?\u00a0 The vulnerability has been re-mediated in the current version.\u00a0 See the link below for a list of secure versions and a list of safe and unsafe operating systems.<\/p>\n<p>A good source of additional info:\u00a0 <a href=\"http:\/\/heartbleed.com\/\">http:\/\/heartbleed.com\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Some basis I&#8217;ve learned about this issue. OpenSSL is an open-source implementation of SSL.\u00a0 It is not the only implementation of SSL, and is not even the primary implementation of SSL.\u00a0 Most vendors have their own implementation of SSL and TLS, which is directly related. OpenSSL is available as an installed package, or as a &#8230; <a title=\"HeartBleed vulnerability\" class=\"read-more\" href=\"https:\/\/joapen.com\/blog\/2014\/04\/11\/heartbleed-vulnerability\/\" aria-label=\"Read more about HeartBleed vulnerability\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[38,99,97],"tags":[],"class_list":["post-1482","post","type-post","status-publish","format-standard","hentry","category-learning","category-open-source","category-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>HeartBleed vulnerability -<\/title>\n<meta name=\"description\" content=\"Some basis I&#039;ve learned about this issue. OpenSSL is an open-source implementation of SSL.\u00a0 It is not the only implementation of SSL, and is not even the - joapen projects\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/joapen.com\/blog\/2014\/04\/11\/heartbleed-vulnerability\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HeartBleed vulnerability -\" \/>\n<meta property=\"og:description\" content=\"Some basis I&#039;ve learned about this issue. OpenSSL is an open-source implementation of SSL.\u00a0 It is not the only implementation of SSL, and is not even the - joapen projects\" \/>\n<meta property=\"og:url\" content=\"https:\/\/joapen.com\/blog\/2014\/04\/11\/heartbleed-vulnerability\/\" \/>\n<meta property=\"og:site_name\" content=\"joapen projects\" \/>\n<meta property=\"article:published_time\" content=\"2014-04-11T07:39:33+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2015-08-12T20:47:46+00:00\" \/>\n<meta name=\"author\" content=\"joapen\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"joapen\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/joapen.com\\\/blog\\\/2014\\\/04\\\/11\\\/heartbleed-vulnerability\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/joapen.com\\\/blog\\\/2014\\\/04\\\/11\\\/heartbleed-vulnerability\\\/\"},\"author\":{\"name\":\"joapen\",\"@id\":\"https:\\\/\\\/joapen.com\\\/blog\\\/#\\\/schema\\\/person\\\/23919df2312175fe9c4609203595b217\"},\"headline\":\"HeartBleed vulnerability\",\"datePublished\":\"2014-04-11T07:39:33+00:00\",\"dateModified\":\"2015-08-12T20:47:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/joapen.com\\\/blog\\\/2014\\\/04\\\/11\\\/heartbleed-vulnerability\\\/\"},\"wordCount\":367,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/joapen.com\\\/blog\\\/#\\\/schema\\\/person\\\/23919df2312175fe9c4609203595b217\"},\"articleSection\":[\"Learning\",\"Open Source\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/joapen.com\\\/blog\\\/2014\\\/04\\\/11\\\/heartbleed-vulnerability\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/joapen.com\\\/blog\\\/2014\\\/04\\\/11\\\/heartbleed-vulnerability\\\/\",\"url\":\"https:\\\/\\\/joapen.com\\\/blog\\\/2014\\\/04\\\/11\\\/heartbleed-vulnerability\\\/\",\"name\":\"HeartBleed vulnerability -\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/joapen.com\\\/blog\\\/#website\"},\"datePublished\":\"2014-04-11T07:39:33+00:00\",\"dateModified\":\"2015-08-12T20:47:46+00:00\",\"description\":\"Some basis I've learned about this issue. OpenSSL is an open-source implementation of SSL.\u00a0 It is not the only implementation of SSL, and is not even the - joapen projects\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/joapen.com\\\/blog\\\/2014\\\/04\\\/11\\\/heartbleed-vulnerability\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/joapen.com\\\/blog\\\/2014\\\/04\\\/11\\\/heartbleed-vulnerability\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/joapen.com\\\/blog\\\/2014\\\/04\\\/11\\\/heartbleed-vulnerability\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/joapen.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"HeartBleed vulnerability\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/joapen.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/joapen.com\\\/blog\\\/\",\"name\":\"joapen projects\",\"description\":\"Just a place to write\",\"publisher\":{\"@id\":\"https:\\\/\\\/joapen.com\\\/blog\\\/#\\\/schema\\\/person\\\/23919df2312175fe9c4609203595b217\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/joapen.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/joapen.com\\\/blog\\\/#\\\/schema\\\/person\\\/23919df2312175fe9c4609203595b217\",\"name\":\"joapen\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/joapen.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/joapen-mini.jpeg\",\"url\":\"https:\\\/\\\/joapen.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/joapen-mini.jpeg\",\"contentUrl\":\"https:\\\/\\\/joapen.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/joapen-mini.jpeg\",\"width\":400,\"height\":400,\"caption\":\"joapen\"},\"logo\":{\"@id\":\"https:\\\/\\\/joapen.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/joapen-mini.jpeg\"},\"sameAs\":[\"http:\\\/\\\/www.joapen.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HeartBleed vulnerability -","description":"Some basis I've learned about this issue. OpenSSL is an open-source implementation of SSL.\u00a0 It is not the only implementation of SSL, and is not even the - joapen projects","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/joapen.com\/blog\/2014\/04\/11\/heartbleed-vulnerability\/","og_locale":"en_US","og_type":"article","og_title":"HeartBleed vulnerability -","og_description":"Some basis I've learned about this issue. OpenSSL is an open-source implementation of SSL.\u00a0 It is not the only implementation of SSL, and is not even the - joapen projects","og_url":"https:\/\/joapen.com\/blog\/2014\/04\/11\/heartbleed-vulnerability\/","og_site_name":"joapen projects","article_published_time":"2014-04-11T07:39:33+00:00","article_modified_time":"2015-08-12T20:47:46+00:00","author":"joapen","twitter_misc":{"Written by":"joapen","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/joapen.com\/blog\/2014\/04\/11\/heartbleed-vulnerability\/#article","isPartOf":{"@id":"https:\/\/joapen.com\/blog\/2014\/04\/11\/heartbleed-vulnerability\/"},"author":{"name":"joapen","@id":"https:\/\/joapen.com\/blog\/#\/schema\/person\/23919df2312175fe9c4609203595b217"},"headline":"HeartBleed vulnerability","datePublished":"2014-04-11T07:39:33+00:00","dateModified":"2015-08-12T20:47:46+00:00","mainEntityOfPage":{"@id":"https:\/\/joapen.com\/blog\/2014\/04\/11\/heartbleed-vulnerability\/"},"wordCount":367,"commentCount":0,"publisher":{"@id":"https:\/\/joapen.com\/blog\/#\/schema\/person\/23919df2312175fe9c4609203595b217"},"articleSection":["Learning","Open Source","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/joapen.com\/blog\/2014\/04\/11\/heartbleed-vulnerability\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/joapen.com\/blog\/2014\/04\/11\/heartbleed-vulnerability\/","url":"https:\/\/joapen.com\/blog\/2014\/04\/11\/heartbleed-vulnerability\/","name":"HeartBleed vulnerability -","isPartOf":{"@id":"https:\/\/joapen.com\/blog\/#website"},"datePublished":"2014-04-11T07:39:33+00:00","dateModified":"2015-08-12T20:47:46+00:00","description":"Some basis I've learned about this issue. OpenSSL is an open-source implementation of SSL.\u00a0 It is not the only implementation of SSL, and is not even the - joapen projects","breadcrumb":{"@id":"https:\/\/joapen.com\/blog\/2014\/04\/11\/heartbleed-vulnerability\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/joapen.com\/blog\/2014\/04\/11\/heartbleed-vulnerability\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/joapen.com\/blog\/2014\/04\/11\/heartbleed-vulnerability\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/joapen.com\/blog\/"},{"@type":"ListItem","position":2,"name":"HeartBleed vulnerability"}]},{"@type":"WebSite","@id":"https:\/\/joapen.com\/blog\/#website","url":"https:\/\/joapen.com\/blog\/","name":"joapen projects","description":"Just a place to write","publisher":{"@id":"https:\/\/joapen.com\/blog\/#\/schema\/person\/23919df2312175fe9c4609203595b217"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/joapen.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/joapen.com\/blog\/#\/schema\/person\/23919df2312175fe9c4609203595b217","name":"joapen","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/joapen.com\/blog\/wp-content\/uploads\/2021\/04\/joapen-mini.jpeg","url":"https:\/\/joapen.com\/blog\/wp-content\/uploads\/2021\/04\/joapen-mini.jpeg","contentUrl":"https:\/\/joapen.com\/blog\/wp-content\/uploads\/2021\/04\/joapen-mini.jpeg","width":400,"height":400,"caption":"joapen"},"logo":{"@id":"https:\/\/joapen.com\/blog\/wp-content\/uploads\/2021\/04\/joapen-mini.jpeg"},"sameAs":["http:\/\/www.joapen.com"]}]}},"_links":{"self":[{"href":"https:\/\/joapen.com\/blog\/wp-json\/wp\/v2\/posts\/1482","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/joapen.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/joapen.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/joapen.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/joapen.com\/blog\/wp-json\/wp\/v2\/comments?post=1482"}],"version-history":[{"count":1,"href":"https:\/\/joapen.com\/blog\/wp-json\/wp\/v2\/posts\/1482\/revisions"}],"predecessor-version":[{"id":1483,"href":"https:\/\/joapen.com\/blog\/wp-json\/wp\/v2\/posts\/1482\/revisions\/1483"}],"wp:attachment":[{"href":"https:\/\/joapen.com\/blog\/wp-json\/wp\/v2\/media?parent=1482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/joapen.com\/blog\/wp-json\/wp\/v2\/categories?post=1482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/joapen.com\/blog\/wp-json\/wp\/v2\/tags?post=1482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}