garym wrote: > thanks pippin. That's what I wanted to understand. I don't do remote > admin over SSL so that's a nonissue. I was assuming that without any > port forwarding I was OK, but the stuff I read on the net didn't fully > clarify that (for me at least).
Well, you read a lot of nonsense on the internet, especially in mainstream media outlets. They rarely ever have writers who really understand what was happening so the quality of the output is mixed. Generally speaking, this is what happened: 1. OpenSSL is a software that provides SSL encryption for network connections (mainly used in web servers) on Linux platforms. SSL is the encryption being used for secure web sites. 2. The latest version of OpenSSL has had a bug for almost two years which allowed someone to request some amount of information out of the memory of the server OpenSSL is running on. This had nothing to do with the encryption itself which was not breached. Good explanation: https://xkcd.com/1354/ 3. As it it happens that a web server running encryption often handles stuff that needs to be encrypted and might hold it in it's memory. This could be username/password combinations just transmitted or the actual encryption "keys" (certificates). 4. So you could theoretically request and record all of this information systematically and then search for username/password combinations or keys. In theory, someone could have done this for several years. 5. It's unlikely, though, that this has happened systematically on major sites because then it would likely have raised some attention at some point due to the weird traffic it generates. There are several reasons the bug is so severe: 1. It has nothing to do with the encryption or the connection itself. So while you can't systematically search for _your_ password using this bug someone _can_ accidentally get hold of your password _without having to intercept your data_. That's an important point, for a lot of other attacks _you_ need to be attacked, this is not the case here. 2. Since it dates so far back and since even the SSL certificates could theoretically be stolen all encryption certificates being used with OpenSSL prior to a fix have to be regarded as insecure. 3. For the same reason, all password you have used on an insecure site over the last two years has to be regarded as insecure. 4. _Theoretically_ someone who collected your communication data over the last few years could have _later_ decrypted it when he got hold of the "keys". This is something that probably especially applies to bigger organizations like the NSA but you can't rule out that lesser criminals do the same if they know they have a chance to get hold of the encryption key later. --- learn more about iPeng, the iPhone and iPad remote for the Squeezebox and Logitech UE Smart Radio as well as iPeng Party, the free Party-App, at penguinlovesmusic.com *New: iPeng 7, the Universal App for iOS 7* ------------------------------------------------------------------------ pippin's Profile: http://forums.slimdevices.com/member.php?userid=13777 View this thread: http://forums.slimdevices.com/showthread.php?t=101361 _______________________________________________ discuss mailing list [email protected] http://lists.slimdevices.com/mailman/listinfo/discuss
