lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4ad03ab96de64dc0915ddeea54ffe428@CO1PR06MB332.namprd06.prod.outlook.com>
Date: Fri, 11 Apr 2014 20:14:08 +0000
From: "Schmidt, Michael" <michael.schmidt@...greens.com>
To: Manuel Tiago Pereira <mt.pereira@...il.com>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160

They are talking about their servers...

And, we have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible.

"modified version of NGINX that we use"

-----Original Message-----
From: Fulldisclosure [mailto:fulldisclosure-bounces@...lists.org] On Behalf Of Manuel Tiago Pereira
Sent: Friday, April 11, 2014 7:31 AM
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160

Hi,

CloudFlare has a very interesting article on their attempts to get a SSL private key, explaining why they find it very unlikely to be able to get it. Here it is:
http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed


On Fri, Apr 11, 2014 at 10:45 AM, Paul Vixie <paul@...barn.org> wrote:

>
>
> Juergen Christoffel wrote:
> > On Thu, Apr 10, 2014 at 11:32:21PM -0700, Paul Vixie wrote:
> >> [...]
> >> really bruce? on a scale of doesn't-matter-at-all to 
> >> worst-thing-you-could-have-previously-imagined, a read only exploit 
> >> is even worse than that?
> >
> > With all due respect to your ego Paul, I think you might 
> > under-estimate the long term effects: private keys get stolen, this 
> > allows people to play man-in-the-middle, people (the masses) will 
> > renew their certificates but might re-use their generated private 
> > keys because the don't know exactly what they are doing, etc.
>
> thanks for whatever respect may be due, but bruce is still wrong. the 
> cost to fix this is:
>
> 1. replace all private keys
> 2. replace all passwords
> 3. upgrade all SSL software
>
> that rates 9 out of 10, where 10 is the worst thing i could have 
> imagined pre-heartbleed, which is remote file modification and/or 
> remote code execution, because the costs in that case would be:
>
> 1. inclusive of [1..3] above
> 2. replace all operating systems
> 3. audit or replace all user data
>
> > As the EFF's traces back into 2013 might tell us, some bad guys 
> > exploited this for some time now. If this is the case, we might soon 
> > arrive at the conclusion that we need to exchange all certificates 
> > which had been created in the last two years.
>
> we already have to do that, since we have to assume the worst whenever 
> we don't have log files which somehow prove a negative.
>
> >
> > While I hope it tends to your interpretation, I fear a bit that it 
> > might be Bruces in the long run.
>
> bruce was spouting nonsense. heartbleed's costs will not be higher 
> than previously imaginable.
>
> vixie
>
> _______________________________________________
> Sent through the Full Disclosure mailing list 
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>



--
Manuel Tiago Pereira

_______________________________________________
Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ