|
Runbox Forum Everything related to Runbox should go here: suggestions, comments, complaints, questions, technical issues, etc. |
|
Thread Tools |
8 Apr 2014, 05:06 PM | #1 |
Essential Contributor
Join Date: Oct 2013
Posts: 413
|
A must read
|
8 Apr 2014, 09:08 PM | #2 |
The "e" in e-mail
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
|
To those who, like me, thought this was a link to a dodgy web site.
Through another route, I found this: The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. |
8 Apr 2014, 09:15 PM | #3 |
Essential Contributor
Join Date: Oct 2013
Posts: 413
|
|
8 Apr 2014, 09:35 PM | #4 |
Cornerstone of the Community
Join Date: Nov 2008
Location: UK
Posts: 549
Representative of:
Runbox.com |
Yes, this is a genuine issue and we have spent the hours immediately after this news broke checking our various systems and making changes where necessary.
|
9 Apr 2014, 01:32 AM | #5 |
Essential Contributor
Join Date: Oct 2013
Posts: 413
|
|
9 Apr 2014, 01:41 AM | #6 |
Essential Contributor
Join Date: Oct 2013
Posts: 413
|
Yes,
sslabs.com added to test the server the "heartbleed" vulnerability, but runbox appears as OK Thank you RB team. https://www.ssllabs.com/ssltest/anal...l?d=runbox.com |
9 Apr 2014, 06:41 AM | #7 |
The "e" in e-mail
Join Date: Sep 2001
Location: Oslo, Norway
Posts: 2,938
Representative of:
Runbox.com |
Thanks for bringing this to our attention (along with others).
We upgraded OpenSSL on our servers and reissued our SSL certificates as soon as we heard about it. Keep in mind that Runbox supports Perfect Forward Secrecy, which issues unique key pairs for each connection. This would prevent any eavesdropper from retroactively decrypting communications between server and client even if they managed to get the private key. http://blog.runbox.com/2013/10/runbo...rward-secrecy/ - Geir |
9 Apr 2014, 08:40 AM | #8 |
Senior Member
Join Date: May 2013
Posts: 162
|
Security Advisory - OpenSSL TLS/DTLS
Here are a couple of alerts from Entrust and Dell SecureWorks.
------ Entrust - As diligent corporate citizens, we are advising you of a new threat called the Heartbleed Bug that has been reported by some researchers at Codenomicon and Google. Heartbleed attacks the heartbeat extension (RFC 6520) implemented in OpenSSL. The official reference to the Heartbleed bug is CVE-2014-0160. Heartbleed allows an attacker to read the memory of a system over the Internet and compromise the private keys, names, passwords and content. An attack is not logged and would not be detectable. The attack can be from client to server or server to client. Heartbleed is not a flaw with the SSL/TLS protocol specification, nor is it a flaw with the Entrust certification authority (CA), our certificates or the certificate management system. Heartbleed is an implementation bug that affects servers using certain versions of OpenSSL (v1.0.1 - v1.0.1f). ----- Dell SecureWorks- The Dell SecureWorks Counter Threat Unit(TM) (CTU) research team has been investigating a critical vulnerability in the OpenSSL cryptographic library. This vulnerability, which has been assigned CVE identifier CVE-2014-0160 and is also known as the "Heartbleed Bug," allows anyone on the Internet to read the memory of systems protected by vulnerable versions of the OpenSSL software. This issue should be considered extremely critical due to its impact, long exposure, ease of exploitation, the absence of application logs indicating an exploit attempt and the widespread availability of exploit code. The flaw resides in the OpenSSL implementation of the TLS/DTLS (Transport Layer Security) protocols' heartbeat extension (RFC6520) due to a missing bounds check. This vulnerability reveals 64KB of memory per request to a connected client or server. An attacker can keep reconnecting or can keep requesting an arbitrary number of 64KB chunks of memory content during an active TLS connection until they have achieved their objectives. The vulnerability was independently discovered by a member of the Google Security team and by a team of security engineers at Codenomicon. Proof-of-concept (PoC) code to exploit this vulnerability exists. OpenSSL versions 1.0.1 through 1.0.1f (inclusive) and version 1.0.2-beta are vulnerable; branches 1.0.0 and 0.9.8 are not vulnerable. Recommended actions: This vulnerability is resolved in OpenSSL version 1.0.1g. According to the OpenSSL advisory, version 1.0.2 will be fixed via 1.0.2-beta2. The CTU research team recommends upgrading immediately. Products that use OpenSSL libraries, such as SSL termination devices, load balancers, secure web gateways , web application firewalls, and other embedded devices, may also be vulnerable. Clients should coordinate vulnerability status and mitigation steps with appropriate vendors. After patching the vulnerability, revoke any primary key material (e.g., X.509 certificates and private keys) used by a vulnerable TLS service, and issue and distribute new keys. In addition, consider potential compromise of secondary key material, such as usernames and passwords exchanged with a vulnerable TLS endpoint. Reset secondary key material such as passwords and encryption keys, and invalidate and reset any exposed session keys and session cookies. Dell SecureWorks actions: Dell SecureWorks CTU researchers created the following iSensor countermeasure to detect exploitation of CVE-2014-0160. Signatures for third-party managed devices will be deployed, as they are made available by their respective vendors. - 50174 VID59478 OpenSSL TLS/DTLS Large Heartbeat Response -- |
11 Apr 2014, 02:04 AM | #9 |
The "e" in e-mail
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
|
Today's Runbox Blog
|
11 Apr 2014, 02:03 PM | #10 |
Essential Contributor
Join Date: Dec 2012
Posts: 343
|
The account page currently lists recent webmail sessions. Does it also list recent IMAP sessions? Since I do not use IMAP, knowing if someone else got in through IMAP would be very useful in the wake of these sorts of security events.
|
12 Apr 2014, 03:23 PM | #11 |
Essential Contributor
Join Date: Oct 2013
Posts: 413
|
I donĀ“t see my recent IMAP sessions in the list. I think it only lists the webmail sessions.
|
12 Apr 2014, 05:03 PM | #12 |
Cornerstone of the Community
Join Date: Nov 2008
Location: UK
Posts: 549
Representative of:
Runbox.com |
It does only list webmail sessions.
Listing IMAP sessions could generate a very long list if we are talking about every single IMAP login. Some people check email every few minutes, whereas a webmail session is usually longer. What might be possible at some point is to list the last x number of IPs that attempted to log in to the account via IMAP, POP and SMTP. |
12 Apr 2014, 05:06 PM | #13 |
The "e" in e-mail
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
|
|
12 Apr 2014, 07:36 PM | #14 |
Essential Contributor
Join Date: Oct 2013
Posts: 413
|
|
13 Apr 2014, 09:31 PM | #15 |
Junior Member
Join Date: Feb 2014
Posts: 8
|
|