Batten down the hatches! OpenSSL preps fix for high impact vuln Sysadmins, brace yourselves: OpenSSL has announced upcoming security fixes will fix a “high” impact flaw. Every OpenSSL release since the infamous Heartbleed vulnerability1 of April 2014 has been met with nervous anticipation, and that applies as much to the upcoming 1.0.2h, 1.0.1t releases as others before it. The last major …
>It would be far more worrying that if after Heartbleed we wouldn't be getting a semi-constant stream of security fixes for the library.
Granted things are better today and its a bit dated but just going to leave this link for devs on why they should probably avoid OpenSSL if they can. - http://opensslrampage.org/page/48 . This spaghetti code base has been badly managed for a very long time.
As others have said, Heartbleed set the expectation that there would be a lot of changes to address SSL/TLS security in the coming years as some of the code found indicated very poor practices.
Completely getting rid of SSLv2 and historical export defaults, slowly killing off SSLv3 while combing through TLS to make sure it was fit for purpose takes time, as does cleaning out issues within the trusted Certificate Authority model, getting people to upgrade their certificates to current standards to address encryption/hash protocols that were approaching the end of their working lives.
However, if it is another DROWN-type vulnerability where disabling SSLv2/v3 is a workaround, I'll sleep easier...
Another flaw which just goes to show how undermined these "secure" and "government approved" encryption packages are.
All encryption is breakable. It's just a matter of time and resources. No matter how secure it is, no matter who approves it, somebody will be looking for ways to break it because the possible returns can be great.
The only real hope you have is that bugs in an encryption system are found legitimately and fixed before they can be exploited. That seems to be what has happened here.
I'll get your coat now.
BoringSSL is the SSL that Google deploy to all android phones via play services, so as not needing to wait for phone vendors to update core OS, delivering very rapid patch cycles for services that matter
http://developer.android.com/training/articles/security-gms-provider.html
#whatsnakeoilvendorsforgettomention
I guess we won't know until there is a release. Just checked the LibreSSL site. Interesting in the release notes from January about which OpenSSL CVEs did not affect LibreSSL and OpenBSD Journal saying that DROWN didn't apply because SSL v2 support had been dropped. Unfortunately, the public mailing list doesn't seem to be mirrored anywhere.
One defence seems to be a fairly aggressive dropping of older versions.
It's easier to aggressively drop old versions when you've got a tiny, tiny market segment. OpenSSL being the default in so many place, doesn't have that comfort. Being the default that nobody cares to check is like that: even though they've strongly advised maintainers to disable SSLv2 for years, nobody listened.
Those vulnerabilities have a silver lining, that now OpenSSL is able to do changes that would have pissed a lot of people in the past.
Those vulnerabilities have a silver lining, that now OpenSSL is able to do changes that would have pissed a lot of people in the past.
You can't have your cake and eat it – compatibility for insecure protocols and security which is what you seem to be arguing for.
An aggressive versions policy is okay if it's properly communicated and for the right reasons.
I know fuck all about encryption but it would seem that when FOSS gets found with its pants down the hands go up and they, or others, sort it. ITMT 'Dave The Dim' relies on such software to keep his agenda secret. WhatsThat 'Dave The Dim'? Did WhatsApp have a Zero Day? That's a bit of a shame. Maybe your script kiddie masters at GCHQ will tell you about it after your have been pwnd.
OWNERSHIP MEANS EVERYTHING
Public ownership of internet resources will prevent the privateers from robbing us of free speech.
Public ownership of internet resources will allow generations hence to be guaranteed a platform to stand on.
Privateers are thieves.
This is a good thing.
Why? Care to make an actual argument, hopefully substantiated with some data, that "branded" bugs are detrimental to security? Or are you just being an ass?
Branded bugs have been quite effective at motivating management and users who are not IT security experts to install fixes and upgrade systems. Heartbleed's publicity is the only reason why the OpenSSL Foundation got the funding to revive the project and fix all the bugs since.
Writers really ought to understand rhetoric. And be able to think critically.
It's because the fact of branding a vulnerability doesn't mean anything.
There are severe vulnerabilities which are not branded and irrelevant vulnerabilities which are (Grinch attack as an example).
By focusing on branding you simply focus on the wrong thing. You should focus on the security and vulnerability parts.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
