On Wed, Apr 16, 2014 at 09:22:31PM +0200,
Reindl Harald wrote
a message of 82 lines which said:
> frankly outside a public hotspot / untrusted network nobody but the
> NSA and otehr agencies are able to really to MITM
As explained by Tim, this is false. He forgot to mention another
attack vec
Am 17.04.2014 01:06, schrieb Tim:
>> and the others need a MITM attack which is not *that* easy
>> as connect to a server and send a heartbleed-packet without
>> anything in the logs of the attacked server
>
> I agree with you here. It seems that Lucky13 requires much more
> access and is much
> and the others need a MITM attack which is not *that* easy
> as connect to a server and send a heartbleed-packet without
> anything in the logs of the attacked server
I agree with you here. It seems that Lucky13 requires much more
access and is much harder to pull off in practice. Unless ther
Also remember to actually try the exploit, even if you think your
0.9.8 installation isn't vulnerable. We found several devices which
were running a safe version in the audit paperwork, but actually
running a vulnerable version in practice.
-Paul
On Wed, Apr 16, 2014 at 6:03 PM, Ron Bowes wrote:
and the others need a MITM attack which is not *that* easy
as connect to a server and send a heartbleed-packet without
anything in the logs of the attacked server
frankly outside a public hotspot / untrusted network nobody
but the NSA and otehr agencies are able to really to MITM
Am 16.04.2014 2
The fact that for BEAST, CRIME and LT there is not a fully implemented
and *public* PoC, doesn't mean
that those attack were/are not critical.
They were very critical when they came out, and involved more trickery
than Heartbleed to work.
I guess you can find full PoC implementations if you searc
On Wed, 16 Apr 2014 18:10:15 +0800
Shawn wrote:
> I do believe Lucky-thirteen is far
> more dangerous than heartbleed, we just don't know.
I'd really like to hear some arguments to back that claim.
Basically, Lucky13 is a protocol problem and thus the fix is a bit less
obvious than for heartblee
Are there actually any real-world attack scenarios for BEAST, CRIME, or
Lucky-thirteen?
Heartbleed has been used in actual legitimate attacks, but those earlier
attacks all seem pretty tame in comparison. Worth fixing, of course, but
they don't seem *as* critical to me.
Ron
On Wed, Apr 16, 2014
After an exciting and crazy week. People are getting calm and plan or
already start to doing audit on their system. But there are something
you might miss. The older version of OpenSSL( like 0.9.8) might not
affected by heartbleed issue but it doesn't mean you are secure. Don't
forget the old OpenS
