Re: [Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)
On Sun, Apr 27, 2014 at 12:17:45PM +0300, Nadav Har'El wrote: On Sun, Apr 27, 2014, Tzafrir Cohen wrote about Re: [Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https): On Sat, Apr 26, 2014 at 02:20:17PM +0300, Sorana Fraier wrote: There is now a fork by openbsd people for openssl. It's called libressl. http://www.libressl.org/ They crave for more people to help. Not really. If they wanted more people they wouldn't use the OpenBSD CVS. Not everyone has been drinking from the distributed version-control system coolaid. I agree that CVS should be dropped for Subversion which is more-or-less a superset of CVS, but let's not judge them harshly for not using Git. I don't judge them for not using git. I judge them for using CVS. In fact they clearly state on their page that they're not looking for code contributions as the code is not ready yet. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux
Re: [Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)
On Sat, Apr 26, 2014 at 2:20 PM, Sorana Fraier sf10...@gmail.com wrote: There is now a fork by openbsd people for openssl. It's called libressl. http://www.libressl.org/ Why a fork ?! There are bugs, some of them are set to be security risks, but you can never avoid bugs. And when C and C++ are your main programming language, the number of bugs raises, due to so many reasons such as: 1. memory management (with all of it's issues) 2. In-proper data input 3. hard code to read and understand etc... I do think that the heartbleed issue was anything else but a bug, and rewriting code will not make things less vulnerable for the next big bug that might exists. So why do they fork it ?! They crave for more people to help. On Tue, Apr 15, 2014 at 5:57 AM, Michael Vasiliev li...@infoscav.netwrote: If any of you guys and gals think this isn's serious, think twice. The CloudFlare SSL Heartbleed challenge site's SSL key was stolen within hours of being announced. There is a wave of security compromises all over the world and sane CAs are offering free renewals of SSL certificates. On 04/11/2014 08:35 AM, Eli Billauer wrote: Hi all, I suppose that the security freaks already know about this, and still, this seems important enough for an alert. In a nutshell, a bug in the mechanism that allows keepalive messages to be sent to maintain an SSL link, also allows, accidentally, a remote attacker to read a segment of up to 64 kBytes from the server's memory. It's doesn't give access to any chunk of 64 kBytes, but it's a segment which is likely to be dirty with data that belongs to the process running openSSL. So there's a chance that data related to private keys and passwords is revealed this way. See http://en.wikipedia.org/wiki/Heartbleed I haven't found any tool checking a local SSH server, say as source code in C. I suppose it's being avoided for the sake of not supplying the almost-finished attack to script kiddies. Hag Sameah, Eli ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux
Re: [Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)
On Sat, Apr 26, 2014 at 02:20:17PM +0300, Sorana Fraier wrote: There is now a fork by openbsd people for openssl. It's called libressl. http://www.libressl.org/ They crave for more people to help. Not really. If they wanted more people they wouldn't use the OpenBSD CVS. This is the only example I can think of of a project switching from Git to CVS. Though we had OpenOffice switching from Mercurial to Subversion when moving to Apache. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux
Re: [Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)
If any of you guys and gals think this isn's serious, think twice. The CloudFlare SSL Heartbleed challenge site's SSL key was stolen within hours of being announced. There is a wave of security compromises all over the world and sane CAs are offering free renewals of SSL certificates. On 04/11/2014 08:35 AM, Eli Billauer wrote: Hi all, I suppose that the security freaks already know about this, and still, this seems important enough for an alert. In a nutshell, a bug in the mechanism that allows keepalive messages to be sent to maintain an SSL link, also allows, accidentally, a remote attacker to read a segment of up to 64 kBytes from the server's memory. It's doesn't give access to any chunk of 64 kBytes, but it's a segment which is likely to be dirty with data that belongs to the process running openSSL. So there's a chance that data related to private keys and passwords is revealed this way. See http://en.wikipedia.org/wiki/Heartbleed I haven't found any tool checking a local SSH server, say as source code in C. I suppose it's being avoided for the sake of not supplying the almost-finished attack to script kiddies. Hag Sameah, Eli ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux
Re: [Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)
On Fri, Apr 11, 2014 at 08:35:00AM +0300, Eli Billauer wrote: Hi all, I suppose that the security freaks already know about this, and still, this seems important enough for an alert. In a nutshell, a bug in the mechanism that allows keepalive messages to be sent to maintain an SSL link, also allows, accidentally, a remote attacker to read a segment of up to 64 kBytes from the server's memory. It's doesn't give access to any chunk of 64 kBytes, but it's a segment which is likely to be dirty with data that belongs to the process running openSSL. So there's a chance that data related to private keys and passwords is revealed this way. See http://en.wikipedia.org/wiki/Heartbleed I haven't found any tool checking a local SSH server, say as source code in C. I suppose it's being avoided for the sake of not supplying the almost-finished attack to script kiddies. SSH is safe from this - it does not use this mechanism. Its protocol is different.Likewise is GPG is safe from this bug as it is built with GnuTLS. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux
[Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)
Hi all, I suppose that the security freaks already know about this, and still, this seems important enough for an alert. In a nutshell, a bug in the mechanism that allows keepalive messages to be sent to maintain an SSL link, also allows, accidentally, a remote attacker to read a segment of up to 64 kBytes from the server's memory. It's doesn't give access to any chunk of 64 kBytes, but it's a segment which is likely to be dirty with data that belongs to the process running openSSL. So there's a chance that data related to private keys and passwords is revealed this way. See http://en.wikipedia.org/wiki/Heartbleed I haven't found any tool checking a local SSH server, say as source code in C. I suppose it's being avoided for the sake of not supplying the almost-finished attack to script kiddies. Hag Sameah, Eli -- Web: http://www.billauer.co.il ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux