Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

On 2014-04-12 00:07, David Lang wrote: It's not a verified account, but: https://twitter.com/nsa_pao/status/454720059156754434 Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public. https://twitter.com/nsa_pao/ Official page of the NSA Pu

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

> From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] > On Behalf Of Hazel > > "The U.S. National Security Agency knew for at least two years about a flaw Fact or not, it's irrelevant. We all know flaws exist in all software. Sometimes the flaws are discovered by people wh

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

On Fri, 11 Apr 2014, Phil Pennock wrote: On 2014-04-11 at 21:19 +0100, Hazel wrote: http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html "The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites se

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

On 2014-04-11 at 21:19 +0100, Hazel wrote: > http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html > > "The U.S. National Security Agency knew for at least two years about a flaw > in the way that many websites send sensitive information, now dubbed

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/11/2014 04:19 PM, Hazel wrote: > > On 7 Apr 2014 21:42, "Phil Pennock" > wrote: >> >> If you're running OpenSSL 1.0.1 in any Internet-facing services, >> then you'll want to: >> >> (1) Read the advisories (2) D

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

On 7 Apr 2014 21:42, "Phil Pennock" wrote: > > If you're running OpenSSL 1.0.1 in any Internet-facing services, then > you'll want to: > > (1) Read the advisories > (2) Deploy emergency updates (either 1.0.1g or with heartbeats disabled) > (3) Figure out if you want to do key/cert rotation on a

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

"A million regular users can help to make a program more reliable (due to bug reports), but they won't make it more secure. (Except to the extent that those million users attract more attackers.) " I agree with this if "more secure" means less likely to ever have a vulnerability, but not if it is m

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

Excerpts from Brandon Allbery's message of 2014-04-10 21:24:15 +0200: > On Thu, Apr 10, 2014 at 3:17 PM, Stephan Fabel wrote: > > > Question: given this issue, would anyone recommend switching SSL > > libraries?What about PolarSSL, for example? > > > > Even with this issue, I think openssl gets

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

On Thu, Apr 10, 2014 at 3:29 PM, Edward Ned Harvey (lopser) wrote: >> From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] >> On Behalf Of Stephan Fabel >> >> Question: given this issue, would anyone recommend switching SSL >> libraries?What about PolarSSL, for example? > > Dep

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

> From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] > On Behalf Of Stephan Fabel > > Question: given this issue, would anyone recommend switching SSL > libraries?What about PolarSSL, for example? Depends. Which one sees more widespread usage, more contributors maintaining,

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

On Thu, Apr 10, 2014 at 3:17 PM, Stephan Fabel wrote: > Question: given this issue, would anyone recommend switching SSL > libraries?What about PolarSSL, for example? > Even with this issue, I think openssl gets more security attention than most of the alternatives. Making sure you're not repla

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

I think any complex software is going to contain bugs - at least this one you know what happened & folks could patch/resolve the issue themselves if urgent enough. I am not saying anything about PolarSSL (I am not familiar with the product in any way). But better the devil you know ---

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

Question: given this issue, would anyone recommend switching SSL libraries?What about PolarSSL, for example? -Stephan On 04/07/2014 10:41 AM, Phil Pennock wrote: > If you're running OpenSSL 1.0.1 in any Internet-facing services, then > you'll want to: > > (1) Read the advisories > (2) Deploy e

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

I want to point out that all these python implementations are crap in terms of documentation. I found this perl script which works much better. For me that is. https://github.com/noxxi/p5-scripts John ___ Tech mailing list Tech@lists.lopsa.org ht

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

On 04/09/2014 12:57 PM, Andraz Sraka wrote: > > You can test it .. > If anyone needs to test a large number of hostnames, I've tweaked this script to handle batch testing, and coverage for both TLS 1.1 and 1.2. https://github.c

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

On Wed, 2014-04-09 at 15:13 -0400, John Stoffel wrote: > So, has any one shown whether sendmail (or postfix) with STARTTLS is > vulnerable as well? Google is simple overwhealmed with no good > details. You can test it .. a. s

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

So, has any one shown whether sendmail (or postfix) with STARTTLS is vulnerable as well? Google is simple overwhealmed with no good details. ___ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provi

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

On 2014-04-08 at 12:51 -0700, David Lang wrote: > Basically, this bug allows you to dump the entire address space of the > server and then go digging through it. My understanding is that the address-space you can get is 64kB after the address where the current TCP read-buffer is; you can lather/ri

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

Presumably the PHP interpreter is in the same memory space. So you could also steal session cookies, database credentials, possibly form data, maybe even credit card data as it passed through. On Tue, Apr 08, 2014 at 12:51:36PM PDT, David Lang spake thusly: > On Tue, 8 Apr 2014, David Blank-Edelma

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

On Tue, 8 Apr 2014, David Blank-Edelman wrote: On Apr 8, 2014, at 9:48 AM, Paul Graydon wrote: There is ample proof this morning that it can be used to acquire yahoo credentials with ease as Yahoo remains unpatched. So I’ve seen the screen shot too that went around, but I have to admit, I’m

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

It also allows for session interception: https://www.mattslifebytes.com/?p=533 https://www.michael-p-davis.com/using-heartbleed-for-hijacking-user-sessions/ On Tue, Apr 08, 2014 at 11:14:51AM -0700, Ray Van Dolson wrote: > On Tue, Apr 08, 2014 at 01:33:51PM -0400, David Blank-Edelman wrote: > >

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

RVD> Haven't seen the screenshot, but at least in my head I'm envisioning RVD> snagging private keys than capturing corresponding traffic and being RVD> able to decrypt it. Me neither, but that was the impression I had. That would require a lot more effort than just snagging the keys, of course --

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

On Tue, Apr 08, 2014 at 01:33:51PM -0400, David Blank-Edelman wrote: > On Apr 8, 2014, at 9:48 AM, Paul Graydon wrote: > > > There is ample proof this morning that it can be used to acquire yahoo > > credentials with ease as Yahoo remains unpatched. > > So I’ve seen the screen shot too that wen

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

On Apr 8, 2014, at 9:48 AM, Paul Graydon wrote: > There is ample proof this morning that it can be used to acquire yahoo > credentials with ease as Yahoo remains unpatched. So I’ve seen the screen shot too that went around, but I have to admit, I’m curious about the mechanics behind that. Woul

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

On Tue, Apr 8, 2014 at 9:48 AM, Paul Graydon wrote: > There is ample proof this morning that it can be used to acquire yahoo > credentials with ease as Yahoo remains unpatched. Security researchers are > having a field day, so you can be pretty sure black hats are too. Yahoo's apparently got so

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

There is ample proof this morning that it can be used to acquire yahoo credentials with ease as Yahoo remains unpatched. Security researchers are having a field day, so you can be pretty sure black hats are too. Phil Pennock wrote: >On 2014-04-07 at 17:56 -0700, Paul Graydon wrote: >> Bear in

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

On 2014-04-07 at 17:56 -0700, Paul Graydon wrote: > Bear in mind that there is no way to tell if you've been compromised > or not. If you can, it's worth erring on the side of caution. Indeed. The disclosure is just extra data sent back in a frame from the server, without the connection being dro

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

Bear in mind that there is no way to tell if you've been compromised or not. If you can, it's worth erring on the side of caution. Phil Pennock wrote: >If you're running OpenSSL 1.0.1 in any Internet-facing services, then >you'll want to: > > (1) Read the advisories > (2) Deploy emergency upda

[lopsa-tech] OpenSSL "heartbleed" vulnerability

If you're running OpenSSL 1.0.1 in any Internet-facing services, then you'll want to: (1) Read the advisories (2) Deploy emergency updates (either 1.0.1g or with heartbeats disabled) (3) Figure out if you want to do key/cert rotation on assumption of compromise Short version: length-check