Re: [Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)
On Sun, Apr 27, 2014 at 12:17:45PM +0300, Nadav Har'El wrote: > On Sun, Apr 27, 2014, Tzafrir Cohen wrote about "Re: [Haifux] The Heartbeat > vulnerability in OpenSSL (and hence ssh/https)": > > On Sat, Apr 26, 2014 at 02:20:17PM +0300, Sorana Fraier wrote: > > > There is now a fork by openbsd people for openssl. It's called libressl. > > > > > > http://www.libressl.org/ > > > > > > They crave for more people to help. > > > > Not really. If they wanted more people they wouldn't use the OpenBSD > > CVS. > > Not everyone has been drinking from the "distributed version-control > system" coolaid. I agree that CVS should be dropped for Subversion which > is more-or-less a superset of CVS, but let's not judge them harshly for > not using Git. I don't judge them for not using git. I judge them for using CVS. In fact they clearly state on their page that they're not looking for code contributions as the code is not ready yet. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux
Re: [Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)
On Sun, Apr 27, 2014, Tzafrir Cohen wrote about "Re: [Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)": > On Sat, Apr 26, 2014 at 02:20:17PM +0300, Sorana Fraier wrote: > > There is now a fork by openbsd people for openssl. It's called libressl. > > > > http://www.libressl.org/ > > > > They crave for more people to help. > > Not really. If they wanted more people they wouldn't use the OpenBSD > CVS. Not everyone has been drinking from the "distributed version-control system" coolaid. I agree that CVS should be dropped for Subversion which is more-or-less a superset of CVS, but let's not judge them harshly for not using Git. If you look at many projects even with extensive contributions from the general public, you'll see that many times the general public sends contributions as *patches*, which are reviewed and committed by only a handful of "committers". For this sort of development model, you do not need a distributed version control system, such as git. Git is much more complex for outsiders to use (see the funny random- git-manpage-generator page, http://git-man-page-generator.lokaltog.net/, which pokes fun at git's dozens of weird subcommands). It forces a casual contributer to "clone" huge repositories instead of just the latest state. Yes, git (and other distributed vcs) has a lot of interesting properties, my favourite being that every developer becomes a full backup of the project's version control system, but it should not be considered the only good alternative, and other alternatives (such as Subversion) should not be automatically considered outdated junk. -- Nadav Har'El| Sunday, Apr 27 2014, 27 Nisan 5774 n...@math.technion.ac.il |- Phone +972-523-790466, ICQ 13349191 |A thing is not necessarily true because a http://nadav.harel.org.il |man dies for it. - Oscar Wilde ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux
Re: [Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)
On Sat, Apr 26, 2014 at 02:20:17PM +0300, Sorana Fraier wrote: > There is now a fork by openbsd people for openssl. It's called libressl. > > http://www.libressl.org/ > > They crave for more people to help. Not really. If they wanted more people they wouldn't use the OpenBSD CVS. This is the only example I can think of of a project switching from Git to CVS. Though we had OpenOffice switching from Mercurial to Subversion when moving to Apache. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux
Re: [Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)
On Sat, Apr 26, 2014 at 2:20 PM, Sorana Fraier wrote: > There is now a fork by openbsd people for openssl. It's called libressl. > > http://www.libressl.org/ > Why a fork ?! There are bugs, some of them are set to be security risks, but you can never avoid bugs. And when C and C++ are your main programming language, the number of bugs raises, due to so many reasons such as: 1. memory management (with all of it's issues) 2. In-proper data input 3. hard code to read and understand etc... I do think that the heartbleed issue was anything else but a bug, and rewriting code will not make things less vulnerable for the next big bug that might exists. So why do they fork it ?! > > They crave for more people to help. > > > On Tue, Apr 15, 2014 at 5:57 AM, Michael Vasiliev wrote: > >> If any of you guys and gals think this isn's serious, think twice. The >> CloudFlare SSL Heartbleed challenge site's SSL key was stolen within hours >> of being announced. There is a wave of security compromises all over the >> world and sane CAs are offering free renewals of SSL certificates. >> >> >> On 04/11/2014 08:35 AM, Eli Billauer wrote: >> >> Hi all, >> >> I suppose that the security freaks already know about this, and still, >> this seems important enough for an alert. >> >> In a nutshell, a bug in the mechanism that allows keepalive messages to >> be sent to maintain an SSL link, also allows, accidentally, a remote >> attacker to read a segment of up to 64 kBytes from the server's memory. >> It's doesn't give access to any chunk of 64 kBytes, but it's a segment >> which is likely to be dirty with data that belongs to the process >> running openSSL. So there's a chance that data related to private keys >> and passwords is revealed this way. >> >> See http://en.wikipedia.org/wiki/Heartbleed >> >> I haven't found any tool checking a local SSH server, say as source code >> in C. I suppose it's being avoided for the sake of not supplying the >> almost-finished attack to script kiddies. >> >> Hag Sameah, >> >> Eli >> >> >> >> >> ___ >> Haifux mailing list >> Haifux@haifux.org >> http://haifux.org/mailman/listinfo/haifux >> >> > > ___ > Haifux mailing list > Haifux@haifux.org > http://haifux.org/mailman/listinfo/haifux > > ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux
Re: [Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)
There is now a fork by openbsd people for openssl. It's called libressl. http://www.libressl.org/ They crave for more people to help. On Tue, Apr 15, 2014 at 5:57 AM, Michael Vasiliev wrote: > If any of you guys and gals think this isn's serious, think twice. The > CloudFlare SSL Heartbleed challenge site's SSL key was stolen within hours > of being announced. There is a wave of security compromises all over the > world and sane CAs are offering free renewals of SSL certificates. > > > On 04/11/2014 08:35 AM, Eli Billauer wrote: > > Hi all, > > I suppose that the security freaks already know about this, and still, > this seems important enough for an alert. > > In a nutshell, a bug in the mechanism that allows keepalive messages to > be sent to maintain an SSL link, also allows, accidentally, a remote > attacker to read a segment of up to 64 kBytes from the server's memory. > It's doesn't give access to any chunk of 64 kBytes, but it's a segment > which is likely to be dirty with data that belongs to the process > running openSSL. So there's a chance that data related to private keys > and passwords is revealed this way. > > See http://en.wikipedia.org/wiki/Heartbleed > > I haven't found any tool checking a local SSH server, say as source code > in C. I suppose it's being avoided for the sake of not supplying the > almost-finished attack to script kiddies. > > Hag Sameah, > > Eli > > > > > ___ > Haifux mailing list > Haifux@haifux.org > http://haifux.org/mailman/listinfo/haifux > > ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux
Re: [Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)
If any of you guys and gals think this isn's serious, think twice. The CloudFlare SSL Heartbleed challenge site's SSL key was stolen within hours of being announced. There is a wave of security compromises all over the world and sane CAs are offering free renewals of SSL certificates. On 04/11/2014 08:35 AM, Eli Billauer wrote: Hi all, I suppose that the security freaks already know about this, and still, this seems important enough for an alert. In a nutshell, a bug in the mechanism that allows keepalive messages to be sent to maintain an SSL link, also allows, accidentally, a remote attacker to read a segment of up to 64 kBytes from the server's memory. It's doesn't give access to any chunk of 64 kBytes, but it's a segment which is likely to be dirty with data that belongs to the process running openSSL. So there's a chance that data related to private keys and passwords is revealed this way. See http://en.wikipedia.org/wiki/Heartbleed I haven't found any tool checking a local SSH server, say as source code in C. I suppose it's being avoided for the sake of not supplying the almost-finished attack to script kiddies. Hag Sameah, Eli ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux
Re: [Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)
On Fri, Apr 11, 2014 at 08:35:00AM +0300, Eli Billauer wrote: > Hi all, > > I suppose that the security freaks already know about this, and still, > this seems important enough for an alert. > > In a nutshell, a bug in the mechanism that allows keepalive messages to > be sent to maintain an SSL link, also allows, accidentally, a remote > attacker to read a segment of up to 64 kBytes from the server's memory. > It's doesn't give access to any chunk of 64 kBytes, but it's a segment > which is likely to be dirty with data that belongs to the process > running openSSL. So there's a chance that data related to private keys > and passwords is revealed this way. > > See http://en.wikipedia.org/wiki/Heartbleed > > I haven't found any tool checking a local SSH server, say as source code > in C. I suppose it's being avoided for the sake of not supplying the > almost-finished attack to script kiddies. SSH is safe from this - it does not use this mechanism. Its protocol is different.Likewise is GPG is safe from this bug as it is built with GnuTLS. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux
[Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)
Hi all, I suppose that the security freaks already know about this, and still, this seems important enough for an alert. In a nutshell, a bug in the mechanism that allows keepalive messages to be sent to maintain an SSL link, also allows, accidentally, a remote attacker to read a segment of up to 64 kBytes from the server's memory. It's doesn't give access to any chunk of 64 kBytes, but it's a segment which is likely to be dirty with data that belongs to the process running openSSL. So there's a chance that data related to private keys and passwords is revealed this way. See http://en.wikipedia.org/wiki/Heartbleed I haven't found any tool checking a local SSH server, say as source code in C. I suppose it's being avoided for the sake of not supplying the almost-finished attack to script kiddies. Hag Sameah, Eli -- Web: http://www.billauer.co.il ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux
