I am not running any Apache or any thing that triggers ssl libray, so is there a service in Ubuntu that runs Open ssl by default?
So, I am just booting live session for internet browser. Am I safe?
Asked
Active
Viewed 623 times
2
-
1Why are you booting livecd, not internal drive? – NoBugs Apr 13 '14 at 04:54
4 Answers
5
Short answer: No, you're not.
The heartbleed bug has been exhaustively analyzed elsewhere but the point is that it affects servers. You don't care about it with respect to your computer unless you run a server on it. This does not mean that you're safe however.
The danger is that your bank is affected by it, you should certainly change your passwords etc. The fact that you use a Live CD for banking purposes is completely irrelevant, the bug is server side, so you are as affected by it as anyone else.
terdon
- 100,812
-
6Not completely correct - if you are using a vulnerable OpenSSL then a malicious server can extract information from your browser's memory. As @Mark mentioned in his answer, Firefox on Ubuntu uses NSS and not OpenSSL, though (as does Chromium), so it is safe (although other applications may not be). – user6053 Apr 12 '14 at 21:49
3
I'll have to contradict both the other answers. If you are booting a livecd for Internet browsing and only browsing, your computer is safe from being attacked. The Heartbleed bug can be used to attack clients who connect to a hostile server just like hostile clients can use it to attack a server. However, the only client you're using is (presumably) Firefox, which uses NSS instead of OpenSSL and is thus immune.
However, you are not safe. If any servers you visit is vulnerable, any information you send to that server can be read by an attacker.
Mark
- 1,054
- 1
- 8
- 12
-
Ironically, you may not be completely safe if you have an older livecd that doesn't have the latest updates. (Firefox or others could be older, unsecure versions). – NoBugs Apr 13 '14 at 04:52
1
Before using the internet to do banking just run:
sudo apt-get update
sudo apt-get install libcurl3 openssl python-openssl ssl-cert firefox firefox-globalmenu
If you are really strapped for memory, this can be done first thing after the live system boots to maximize efficiency. Firefox should probably be updated anyway if you are banking and what-not to catch up with all the other security updates.
I found these applications by running
dpkg -l | grep OpenSSL
on a 12.04.4 Ubuntu live cd. There may be more using SSL that I've missed here, I did not search any further.
mchid
- 43,546
- 8
- 97
- 150
-
If you really want to know, run the masstest https://github.com/musalbas/heartbleed-masstest. By altering the "top-1m.csv" list of websites, you can check any URL you place on the list. – mchid Apr 13 '14 at 15:43
0
No, if you are running any version of OpenSSL from 1.0.1 through 1.0.1f. Ubuntu 12.04.4 ships with OpenSSL 1.0.1, so yes, you are subject to the bug, NO you are not safe.
If you can update to OpenSSL 1.0.1g you are safe, but as of right now, 12.04.4 ships with a susceptible version, 1.0.1.
There is a list, and a better explanation on the official Heartbleed site. Go check it out. Also, there is a question, How to patch the Heartbleed bug (CVE-2014-0160) in OpenSSL?, on the site. Check those out and you should be set.
RPiAwesomeness
- 9,783