[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CABniQZNLSktYNKX5P6Ftdnre4Tyftxk648srWLj7+8ZVM898OQ@mail.gmail.com>
Date: Wed, 16 Apr 2014 18:10:15 +0800
From: Shawn <citypw@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Audit: don't only focus on heartbleed issue
After an exciting and crazy week. People are getting calm and plan or
already start to doing audit on their system. But there are something
you might miss. The older version of OpenSSL( like 0.9.8) might not
affected by heartbleed issue but it doesn't mean you are secure. Don't
forget the old OpenSSL are still vulnerable to BEAST( 2011), CRIME(
2012), Lucky-thirteen( 2013)[1]. I do believe Lucky-thirteen is far
more dangerous than heartbleed, we just don't know. Once you start the
audit, plz upgrade the OpenSSL to the latest version. If you are using
0.9.8, plz upgrade to 0.9.8y, which is not vulnerable to Lucky-13
issue.
Fix heartbleed issue for website is much easier than the networking
devices( Firewall, UTM, SSL/IPSEC VPN, etc) and the 3rd-party
software. This definitely gonna impacting for long term.
[1] http://www.isg.rhul.ac.uk/tls/
--
GNU powered it...
GPL protect it...
God blessing it...
regards
Shawn
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists