What does Heartbleed mean for home networks?

dr.stevil

dr.stevil

[H]F Junkie
Joined
Sep 26, 2008
Messages
9,267
So, since I know a lot of people here run DD-WRT (which has several builds that use the affected version of OpenSSL), what risk is there in running those versions of the firmware?

I just went to DD-WRT and got the router mostly configured exactly the way that I want, so I'd really like to not have to update right away unless it's something severe. Not only that, but I'm fairly sure that there isn't even an update yet for my particular router anyway.

In which scenarios would be be dangerous to use it? (VPN, Web-facing router gui, etc)
 
someone could potentially gain the admin username and password and then log on and screw up your settings, thats about it.
 
dr.stevil said:
In which scenarios would be be dangerous to use it? (VPN, Web-facing router gui, etc)
Click to expand...

I am fairly certain that the OpenVPN server used in DD-WRT uses OpenSSL and would be susceptible to heartbleed. Is it a risk? That's up to you to decide. Do you care if someone can see all of your VPN traffic if they try to? I personally would, but maybe you don't.
 
I agree with both replies. Perhaps you ought to check the installed version to see whether it is vulnerable. Gives you peace of mind, at least:)
 
Update my OpenWRT boxes just a fews days ago, worked just fine and easy.
//Danne
 
Shibby just put out (some of) his new TomatoUSB builds with OpenSSL 1.0.1g today. I'm sure other maintainers are on top of it too.
 
It's not as simple as simply upgrading the version of OpenSSL. That's not going to fix it.

To actually FIX it, you need to re-key all your SSL/TLS certificates and remove all certificates that have been used with vulnerable versions of OpenSSL.

Just want to make sure that you know it isn't a simple upgrade and poof, you're done. If you're using certs in conjunction with older versions, you're still susceptible.
 
corge said:
It's not as simple as simply upgrading the version of OpenSSL. That's not going to fix it.

To actually FIX it, you need to re-key all your SSL/TLS certificates and remove all certificates that have been used with vulnerable versions of OpenSSL.

Just want to make sure that you know it isn't a simple upgrade and poof, you're done. If you're using certs in conjunction with older versions, you're still susceptible.
Click to expand...

technically it DOES fix it...

best practice is to definitely gen new keys, but re-keying is only a precaution since your keys could have been compromised with the older versions...

at least that's how understand it...
 
corge said:
To actually FIX it, you need to re-key all your SSL/TLS certificates and remove all certificates that have been used with vulnerable versions of OpenSSL.
Click to expand...

I don't understand why this would be necessary for internally-based services on a home lab network or even a small corporation where user sophistication doesn't go as far as knowledge of how to install software without assistance. Yes, best practice says the certs should be replaced by realistically the certs private key highly likely was not exposed or compromised in any way.
 
shade91 said:
I don't understand why this would be necessary for internally-based services on a home lab network or even a small corporation where user sophistication doesn't go as far as knowledge of how to install software without assistance. Yes, best practice says the certs should be replaced by realistically the certs private key highly likely was not exposed or compromised in any way.
Click to expand...

exactly, and shoot, for internal systems, there's no risk anyway...
 
You must log in or register to reply here.
Back
Top