Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
As the Heartbleed fallout continues, the good news is that code to protect against similar such attacks has been released. The bad news is that exploit code is also available.
Let's start with the latter, released by a chap who took up Cloudlare's challenge to coders in the hope someone, somewhere, would be able to use Heartbleed to extract a private SSL key from an undefended server it erected.
The author apologises for the inelegance of the Python code he spent a day working on. Cloudflare says the winner took just nine hours to crack the server and run off with the SSL certificate.
The availability of that code means world+dog can run it against servers of their choice and see what's on offer, which is just great.
Happily, help is also at hand. Akamai has published this patch to OpenSSL it says has the following qualities:
“It [the patch] adds a 'secure arena' that is used to store RSA private keys. This arena is mmap'd, with guard pages before and after so pointer over- and under-runs won't wander into it. It's also locked into memory so it doesn't appear on disk, and when possible it's also kept out of core files. This patch is a variant of what we've been using to help protect customer keys for a decade.”
Phew! Nice to know that's out there. But Akamai warns it is “more of a proof of concept than something that you want to put directly into production.” But the company says it will happily work with others who think it can be improved. ®