218358 Bullies, 6421 online  
  • Register
Our Sponsors:

Results 1 to 10 of 23
Page 1 of 3 1 23 LastLast
Sponsored Links Spacer Image
  1. goodlun is online now
    goodlun's Avatar

    Senior Member

    Join Date
    Jun 2008
    Location
    Ramona
    Posts
    4,616

    Posted On:
    4/09/2014 2:35pm

    Join us... or die
     Style: BJJ

    3
    Hell yeah! Hell no!

    A flaw in the encryption program OpenSSL could expose much of the encrypted traffic

  2. Tranquil Suit is online now
    Tranquil Suit's Avatar

    On hiatus

    Join Date
    Jul 2009
    Posts
    3,442

    Posted On:
    4/09/2014 2:47pm

    supporting member
     Style: Getting fat.

    1
    Hell yeah! Hell no!
    Sssshhhh

    (tab) Forum > Forum Actions > General Settings > in Thread Display Options > Number of Posts to Show Per Page: 40
  3. submessenger is online now
    submessenger's Avatar

    Transmaniacon MC

    Join Date
    Apr 2010
    Location
    Delray Beach
    Posts
    1,601

    Posted On:
    4/09/2014 3:07pm

    supporting member
     Style: BJJ

    3
    Hell yeah! Hell no!
    I mean, it's only been broken for 2 years. Why it's a big deal now is only that somebody in the biz figured out that it's broken.

    But, yeah, if you're using the same username/password everywhere, you're dumb and deserve to be hacked. Change that behavior right now.

    All website admins running OpenSSL should go ahead and pony up for a new signed cert (edit: this means, generate a new private key and CSR), after patching their systems. 1.0.1g is the SSL you should be running - unless you're just really lazy and are still running 0.9.8, which is not vulnerable to THIS attack, but has other issues like renego and beast, I think.

    I'm a fan of Qualys' SSLLabs which will tell you many of the things wrong with your SSL config... pop over to https://www.ssllabs.com/ssltest/ to get a check for your site (they didn't have Heartbleed check yesterday, not sure if they do today).
    Last edited by submessenger; 4/09/2014 3:14pm at .
  4. W. Rabbit is offline
    W. Rabbit's Avatar

    You know me...the snakebite hiss, the Devil's Grip, the Iron Fist

    Join Date
    May 2010
    Location
    Work
    Posts
    7,536

    Posted On:
    4/09/2014 3:11pm

    supporting member
     Style: Hung Fist, BJJ, Qi Gong

    2
    Hell yeah! Hell no!
    Quote Originally Posted by submessenger View Post
    Heartbleed check
    http://filippo.io/Heartbleed/

    This one is Bad, especially when you think about how much private memory you could leak out of an HTTPS server over 2 years, one 64k chunk at a time.

    Anybody using this could compile quite an interesting data set from a server using TLS/SSL...not the least of which would be bits of private key...

    Some of the better implementations of SSL disabled the "heartbeat" function. Some will avoid this by staying on the legacy 0.9.x versions that aren't susceptible (to this).
    Last edited by W. Rabbit; 4/09/2014 3:19pm at .
  5. submessenger is online now
    submessenger's Avatar

    Transmaniacon MC

    Join Date
    Apr 2010
    Location
    Delray Beach
    Posts
    1,601

    Posted On:
    4/09/2014 3:18pm

    supporting member
     Style: BJJ

    1
    Hell yeah! Hell no!
    Yeah, the scary part is that it's not just current conversations, but any historical dumps that may have been grabbed could be decrypted if an attacker went to the trouble of exploiting this and getting a server's private key(s).

    Piss is in the pool.
  6. W. Rabbit is offline
    W. Rabbit's Avatar

    You know me...the snakebite hiss, the Devil's Grip, the Iron Fist

    Join Date
    May 2010
    Location
    Work
    Posts
    7,536

    Posted On:
    4/09/2014 3:19pm

    supporting member
     Style: Hung Fist, BJJ, Qi Gong

    2
    Hell yeah! Hell no!
    What's funniest is this sort of **** actually impacts my BJJ schedule. God damn.

    What a no win situation. Whenever these come up, I think of Airplane.

  7. submessenger is online now
    submessenger's Avatar

    Transmaniacon MC

    Join Date
    Apr 2010
    Location
    Delray Beach
    Posts
    1,601

    Posted On:
    4/09/2014 3:21pm

    supporting member
     Style: BJJ

    --
    Hell yeah! Hell no!
    On a side note, Wireshark is great for this - just point it to a copy of your private key, and BINGO - instant SSL decode. It's even smart enough to handle StartTLS in several circumstances.
  8. W. Rabbit is offline
    W. Rabbit's Avatar

    You know me...the snakebite hiss, the Devil's Grip, the Iron Fist

    Join Date
    May 2010
    Location
    Work
    Posts
    7,536

    Posted On:
    4/09/2014 3:32pm

    supporting member
     Style: Hung Fist, BJJ, Qi Gong

    1
    Hell yeah! Hell no!
    The applications for brute forcing SSL here are tremendous.

    Knowing 1/x of a private key means you effectively cutting the keyspace down by orders of magnitude, which is a cryptoloGIST's wet dream.

    E-commerce? Yahoo accounts??? ROFL

    This has (inter) national security ramifications.

    Last edited by W. Rabbit; 4/09/2014 3:37pm at .
  9. goodlun is online now
    goodlun's Avatar

    Senior Member

    Join Date
    Jun 2008
    Location
    Ramona
    Posts
    4,616

    Posted On:
    4/09/2014 3:35pm

    Join us... or die
     Style: BJJ

    3
    Hell yeah! Hell no!
    On a less serious note here is my favorite infosec story of the month thus far.
    http://thehackernews.com/2014/04/5-y...soft-xbox.html
    now back to heartbleed.
  10. submessenger is online now
    submessenger's Avatar

    Transmaniacon MC

    Join Date
    Apr 2010
    Location
    Delray Beach
    Posts
    1,601

    Posted On:
    4/09/2014 3:40pm

    supporting member
     Style: BJJ

    1
    Hell yeah! Hell no!
    The window is 64k - entirely possible, if not probable, that the entire private key can be downloaded in one shot.
Page 1 of 3 1 23 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Powered by vBulletin™© contact@vbulletin.com vBulletin Solutions, Inc. 2011 All rights reserved.