0

I understand PHP's built in random functions (rand(), mt_rand()) are not very safe, so I started using OpenSSL_Random_Psuedo_Bytes. After reading the news, I noticed the HeartBleed bug, and how its caused by something OpenSSL.

Is it still safe to use this with Heartbleed around? Sorry that this kinda a stupid question.

Its the only function I'm using; I'm not using any other OpenSSl function.

JaredCubilla
  • 538
  • 1
  • 8
  • 24
  • Well, an attacker could theoretically (and possibly) get OpenSSL's internal generator state and use it to break the ephemeral key exchanges with other clients. So you should patch your server. While you're at it, delete the `.rnd` file and let OpenSSL seed itself from an untainted seed (assuming the generator was compromised). – jww Apr 17 '14 at 05:41
  • This question belongs on another site in the Stack Exchange network. Perhaps serverfault.com, crypto.stackexchange.com, or security.stackexchange.com. – jww Apr 17 '14 at 05:42

1 Answers1

2

If you have:

  • updated to the newest patched version of OpenSSL.
  • have changed your keys for your certificates.
  • have changed all passwords or forced users to change passwords.

Then you should no longer be affected by heartbleed.

If you are unupgraded you are still vulnerable to heartbleed, then no matter what you use or pass along the internet can be caught and exposed.

If this is the only thing your using OpenSSL for though, you should be fine. All it is doing is creating a cryptographically unique string unlike rand() which can create infinite duplicates over time.

Cyassin
  • 1,437
  • 1
  • 15
  • 31
  • I have not installed OpenSSL as a package, I simply used the openssl_random_psuedo_bytes function. Is that affected by Heartbleed? – JaredCubilla Apr 16 '14 at 01:23
  • 1
    Then no, it is just used to create a cryptographically unique string. Nothing is exposed in a generated string. – Cyassin Apr 16 '14 at 01:24