SSL Not So Secure

Pertaining to any discovery, principle, or aspect of science and/or technology. Open debates and discussions are welcome. Also now dealing with any happening in the news.

Moderator: Geeks United

Post Reply
User avatar
dandymcgee
ES Beta Backer
ES Beta Backer
Posts: 4709
Joined: Tue Apr 29, 2008 3:24 pm
Current Project: https://github.com/dbechrd/RicoTech
Favorite Gaming Platforms: NES, Sega Genesis, PS2, PC
Programming Language of Choice: C
Location: San Francisco
Contact:

SSL Not So Secure

Post by dandymcgee »

http://heartbleed.com/
http://heartbleed.com/ wrote:Most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft's April 2014 Web Server Survey.
66% of the Internet is affected.. that is insane.
http://www.openssl.org/news/vulnerabilities.html wrote:CVE-2014-0160: 7th April 2014
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server
Wow. For the last two years, pretty much all of our "secure" communications could have been easily intercepted by an anonymous attacker. The implications of this bug are nearly unimaginable. All of this because of a missing bounds check.

It's amazing for me to think a technology so fundamental to the Internet backbone has such a poor pre-release code review process.

Thoughts?
Falco Girgis wrote:It is imperative that I can broadcast my narcissistic commit strings to the Twitter! Tweet Tweet, bitches! :twisted:
User avatar
bbguimaraes
Chaos Rift Junior
Chaos Rift Junior
Posts: 294
Joined: Wed Apr 11, 2012 4:34 pm
Programming Language of Choice: c++
Location: Brazil
Contact:

Re: SSL Not So Secure

Post by bbguimaraes »

We spent most of the day discussing this at work yesterday. Pretty nasty, although the solution (or the only thing left to do) is workable: patch openssl, regenerate certificates and probably reset passwords for everything.

Thankfully, this doesn't affect elysianshadows.com, because it doesn't use ssl/tls (okay, that was mean, sorry =).
User avatar
dandymcgee
ES Beta Backer
ES Beta Backer
Posts: 4709
Joined: Tue Apr 29, 2008 3:24 pm
Current Project: https://github.com/dbechrd/RicoTech
Favorite Gaming Platforms: NES, Sega Genesis, PS2, PC
Programming Language of Choice: C
Location: San Francisco
Contact:

Re: SSL Not So Secure

Post by dandymcgee »

Also, here's the patch diff for anyone interested: http://git.openssl.org/gitweb/?p=openss ... e6e04cc802
Falco Girgis wrote:It is imperative that I can broadcast my narcissistic commit strings to the Twitter! Tweet Tweet, bitches! :twisted:
User avatar
bbguimaraes
Chaos Rift Junior
Chaos Rift Junior
Posts: 294
Joined: Wed Apr 11, 2012 4:34 pm
Programming Language of Choice: c++
Location: Brazil
Contact:

Re: SSL Not So Secure

Post by bbguimaraes »

Oh yes, and an article that actually explains what is going on, instead of throwing phrases like "read all the memory from the server" around:

http://blog.existentialize.com/diagnosi ... d-bug.html
User avatar
ph0sph0ruz
Chaos Rift Newbie
Chaos Rift Newbie
Posts: 32
Joined: Sat Mar 22, 2014 3:52 am
Favorite Gaming Platforms: PC,Xbox,Dreamcast
Programming Language of Choice: C,C++
Contact:

Re: SSL Not So Secure

Post by ph0sph0ruz »

Pretty nasty indeed. This one has been out there for quite some time also.
Post Reply