SSL Not So Secure

Pertaining to any discovery, principle, or aspect of science and/or technology. Open debates and discussions are welcome. Also now dealing with any happening in the news.

Moderator: Geeks United

SSL Not So Secure

Postby dandymcgee on Wed Apr 09, 2014 1:52 pm

http://heartbleed.com/

http://heartbleed.com/ wrote:Most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft's April 2014 Web Server Survey.

66% of the Internet is affected.. that is insane.

http://www.openssl.org/news/vulnerabilities.html wrote:CVE-2014-0160: 7th April 2014
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server

Wow. For the last two years, pretty much all of our "secure" communications could have been easily intercepted by an anonymous attacker. The implications of this bug are nearly unimaginable. All of this because of a missing bounds check.

It's amazing for me to think a technology so fundamental to the Internet backbone has such a poor pre-release code review process.

Thoughts?
Falco Girgis wrote:It is imperative that I can broadcast my narcissistic commit strings to the Twitter! Tweet Tweet, bitches! :twisted:
User avatar
dandymcgee
ES Beta Backer
ES Beta Backer
 
Posts: 4911
Joined: Tue Apr 29, 2008 4:24 pm
Location: New Hampshire

Re: SSL Not So Secure

Postby bbguimaraes on Wed Apr 09, 2014 1:58 pm

We spent most of the day discussing this at work yesterday. Pretty nasty, although the solution (or the only thing left to do) is workable: patch openssl, regenerate certificates and probably reset passwords for everything.

Thankfully, this doesn't affect elysianshadows.com, because it doesn't use ssl/tls (okay, that was mean, sorry =).
User avatar
bbguimaraes
Chaos Rift Junior
Chaos Rift Junior
 
Posts: 324
Joined: Wed Apr 11, 2012 5:34 pm
Location: Brazil

Re: SSL Not So Secure

Postby dandymcgee on Wed Apr 09, 2014 2:08 pm

Falco Girgis wrote:It is imperative that I can broadcast my narcissistic commit strings to the Twitter! Tweet Tweet, bitches! :twisted:
User avatar
dandymcgee
ES Beta Backer
ES Beta Backer
 
Posts: 4911
Joined: Tue Apr 29, 2008 4:24 pm
Location: New Hampshire

Re: SSL Not So Secure

Postby bbguimaraes on Wed Apr 09, 2014 2:14 pm

Oh yes, and an article that actually explains what is going on, instead of throwing phrases like "read all the memory from the server" around:

http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
User avatar
bbguimaraes
Chaos Rift Junior
Chaos Rift Junior
 
Posts: 324
Joined: Wed Apr 11, 2012 5:34 pm
Location: Brazil

Re: SSL Not So Secure

Postby ph0sph0ruz on Wed Apr 09, 2014 5:29 pm

Pretty nasty indeed. This one has been out there for quite some time also.
User avatar
ph0sph0ruz
Chaos Rift Newbie
Chaos Rift Newbie
 
Posts: 39
Joined: Sat Mar 22, 2014 4:52 am


Return to Current Events and Science/Technology

Who is online

Users browsing this forum: No registered users and 1 guest

cron