Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | [2] | 3 | 4 | 5 | (show all)   Print Thread
Standard User billford
(elder) Wed 09-Apr-14 15:56:29
Print Post

Re: OpenSSL vulnerability


[re: asrdesigns] [link to this post]
 
As far as I know, it only affects anything running as a server and using encryption as mentioned in the second quote of the OP.

I don't think it applies to SOHO modems/routers.

But my knowledge in this area is very limited, hopefully someone more expert will comment.

Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User Pipexer
(eat-sleep-adslguide) Wed 09-Apr-14 16:00:40
Print Post

Re: OpenSSL vulnerability


[re: asrdesigns] [link to this post]
 
In reply to a post by asrdesigns:
So, is there any chance that this applies to our SOHO modem / routers?

Not in the manner you are thinking of, no. It may effect the web server service running on your router for remote management, but you probably shouldn't have that exposed to the internet anyway because we all know how poor home/SOHO router manufacturers are at producing secure management for their routers.

Zen 8000 Pro
Standard User caffn8me
(knowledge is power) Wed 09-Apr-14 20:03:41
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
In reply to a post by billford:
I don't think it applies to SOHO modems/routers.
Many routers running open source based firmware will be affected. Some DD-WRT versions certainly are.

It also seems that many Cisco products have OpenSSL at their core;

http://tools.cisco.com/security/center/content/Cisco...

I am sure there are more manufacturers unsing OpenSSL.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Wed 09-Apr-14 20:08:23)


Register (or login) on our website and you will not see this ad.

Standard User billford
(elder) Wed 09-Apr-14 20:06:07
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
Just a little bit of re-assurance for the nervous:
It seems the bug has been in OpenSSL for 2+ years (since December 2011, OpenSSL versions 1.0.1 through 1.0.1f) before its publicly announced discovery today.


Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User billford
(elder) Wed 09-Apr-14 20:18:23
Print Post

Re: OpenSSL vulnerability


[re: caffn8me] [link to this post]
 
Glad I can't afford a Cisco router smile

Saw this site mentioned if anyone wants to check out a site they use, but no idea how reliable the result are.

Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User caffn8me
(knowledge is power) Wed 09-Apr-14 20:57:44
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
..but if Cisco are using OpenSSL you can bet other manufacturers are. I know Sun Microsystems did.

To reassure folks a little bit;
A researcher at the University of Cambridge Computer Laboratory said it would be an overreaction to say everyone should drop what they are doing to reset all their passwords, but that those concerned should still act.

"I think there is a low to medium risk that any given password has been compromised," said Dr Steven Murdoch.

"It's not the same as previous breaches where there's been confirmed password lists posted to the internet. It's not as urgent as that.


Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Wed 09-Apr-14 20:59:17)

Administrator MrSaffron
(staff) Wed 09-Apr-14 21:47:25
Print Post

Re: OpenSSL vulnerability


[re: caffn8me] [link to this post]
 
All depends on what version of openSSL was used by the website too

Andrew Ferguson, [email protected]
www.thinkbroadband.com - formerly known as ADSLguide.org.uk
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Standard User caffn8me
(knowledge is power) Wed 09-Apr-14 23:56:21
Print Post

Re: OpenSSL vulnerability


[re: MrSaffron] [link to this post]
 
It does indeed. I've checked all the secure websites I use and none is affected as none uses OpenSSL. My own servers, which would have been affected, currently aren't running HTTPS

I do run SSH on numerous servers that had the previous vulnerable version of OpenSSL but they are firewalled to allow SSH access only from specific locations (in two cases only on private IP addresses via VPN)

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User bobble_bob
(fountain of knowledge) Thu 10-Apr-14 00:16:23
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
Do all secure sites use SSL?

As looking on https://github.com/musalbas/heartbleed-masstest/blob... it says


live.com... no SSL


however live.com is a secure site
Standard User Ignitionnet
(knowledge is power) Thu 10-Apr-14 03:02:54
Print Post

Re: OpenSSL vulnerability


[re: bobble_bob] [link to this post]
 
Yes. SSL/TLS is the standard.

live.com negotiated TLS 1.0 with my browser.
Pages in this thread: 1 | [2] | 3 | 4 | 5 | (show all)   Print Thread

Jump to