Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | [4] | 5 | (show all)   Print Thread
Standard User XRaySpeX
(eat-sleep-adslguide) Thu 10-Apr-14 22:03:11
Print Post

Re: OpenSSL vulnerability


[re: MrSaffron] [link to this post]
 
Couldn't care a fig about my FB pwd; it's trivia and unimportant. So what if someone get's in; they can't buy anything on my CC grin.

As long as my banks, Amazon & PayPal are unaffected , and they are. Most banks do not depend on a typed pwd alone. They use a PIN reader and drop-down pwd chars to do at least new transactions.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User ian72
(knowledge is power) Fri 11-Apr-14 08:44:38
Print Post

Re: OpenSSL vulnerability


[re: XRaySpeX] [link to this post]
 
Presumably you are one of the sensible people that doesn't use the same password on FB as on any other sites? A lot of people the issue is they use the same password so if one gets compromised they all do.
Standard User BatBoy
(legend) Fri 11-Apr-14 18:58:13
Print Post

Re: OpenSSL vulnerability


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
Many routers running open source based firmware will be affected. Some DD-WRT versions certainly are.
It also seems that many Cisco products have OpenSSL at their core;
http://tools.cisco.com/security/center/content/Cisco...
I am sure there are more manufacturers unsing OpenSSL.
Well, the open source programmer has been identified but seems unwilling to take the blame for a fairly obvious schoolboy error
I was working on a research project at the University of Münster using the OpenSSL encryption library and releasing bug fixes and new features that were developed as part of my work on the OpenSSL project. The various changes were checked by a member of the OpenSSL development team and then incorporated into the official code. In connection with one extension, the TLS/DTLS Heartbeat extension, I failed to check that one particular variable, a unit of length, contained a realistic value. This is what caused the bug, called Heartbleed after the extension. Unfortunately, the OpenSSL developer who reviewed the code also did not notice that a mistake had been made when carrying out the check. As a result, the faulty code was incorporated into the development version, which was later officially released.
This shows the vulnerability of Open Source development, where some inexperienced schoolboy becomes responsible for the maintenance of an important piece of software with no apparent skill or experience, no formal testing other than "it works" and no formal reviews.


______________________________________________________________________________________False_Authority_Syndrome__________________


Register (or login) on our website and you will not see this ad.

Standard User flippery
(committed) Fri 11-Apr-14 19:21:29
Print Post

Re: OpenSSL vulnerability


[re: BatBoy] [link to this post]
 
In reply to a post by BatBoy:
In reply to a post by caffn8me:
Many routers running open source based firmware will be affected. Some DD-WRT versions certainly are.
It also seems that many Cisco products have OpenSSL at their core;
http://tools.cisco.com/security/center/content/Cisco...
I am sure there are more manufacturers unsing OpenSSL.
Well, the open source programmer has been identified but seems unwilling to take the blame for a fairly obvious schoolboy error
I was working on a research project at the University of Münster using the OpenSSL encryption library and releasing bug fixes and new features that were developed as part of my work on the OpenSSL project. The various changes were checked by a member of the OpenSSL development team and then incorporated into the official code. In connection with one extension, the TLS/DTLS Heartbeat extension, I failed to check that one particular variable, a unit of length, contained a realistic value. This is what caused the bug, called Heartbleed after the extension. Unfortunately, the OpenSSL developer who reviewed the code also did not notice that a mistake had been made when carrying out the check. As a result, the faulty code was incorporated into the development version, which was later officially released.
This shows the vulnerability of Open Source development, where some inexperienced schoolboy becomes responsible for the maintenance of an important piece of software with no apparent skill or experience, no formal testing other than "it works" and no formal reviews.


Hmm
Major suppliers use as part of kit, most likely as a cost saving exercise, Without resorting to any testing procedures or 2 part logins.
Schollboy errors have been made by many major software companies, including one I worked for,
The likes of google facebook and yahoo are the guilty ones. Worth billions but spend peanuts on securityl
Standard User BatBoy
(legend) Fri 11-Apr-14 19:27:39
Print Post

Re: OpenSSL vulnerability


[re: flippery] [link to this post]
 
It's easy to blame everybody else for a coding error. The fact is, this code should never have gone live - look at the damage!


______________________________________________________________________________________False_Authority_Syndrome__________________
Standard User grahammm
(member) Sat 26-Apr-14 12:20:43
Print Post

Re: OpenSSL vulnerability


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
Of course, it's not enough just to upgrade OpenSSL but any applications compiled with it need to be recompiled.


That is not quite accurate. The applications do not need to be recompiled - they just need to be restarted as this will cause them to pick up the new code.
Standard User XRaySpeX
(eat-sleep-adslguide) Sat 26-Apr-14 13:04:37
Print Post

Re: OpenSSL vulnerability


[re: grahammm] [link to this post]
 
Ah, the beauty of DLLs!

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User BatBoy
(legend) Sat 26-Apr-14 13:05:47
Print Post

Re: OpenSSL vulnerability


[re: XRaySpeX] [link to this post]
 
As long as they're not static.


______________________________________________________________________________________False_Authority_Syndrome__________________
Standard User gomezz
(eat-sleep-adslguide) Sat 26-Apr-14 16:04:11
Print Post

Re: OpenSSL vulnerability


[re: BatBoy] [link to this post]
 
How can they be static if they are a *Dynamic* Link Library?

BT Infinity 1 (unlimited)
Standard User XRaySpeX
(eat-sleep-adslguide) Sat 26-Apr-14 16:51:58
Print Post

Re: OpenSSL vulnerability


[re: gomezz] [link to this post]
 
He could be referring to the fact that some libraries are issued in both DLL & static form and some OpenSSL s/ware might use the static one. His 'it' might mean the OpenSLL app.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Pages in this thread: 1 | 2 | 3 | [4] | 5 | (show all)   Print Thread

Jump to