lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Apr 2014 11:03:38 -0700
From: Ron Bowes <>
To: Shawn <>
Subject: Re: [FD] Audit: don't only focus on heartbleed issue

Are there actually any real-world attack scenarios for BEAST, CRIME, or

Heartbleed has been used in actual legitimate attacks, but those earlier
attacks all seem pretty tame in comparison. Worth fixing, of course, but
they don't seem *as* critical to me.


On Wed, Apr 16, 2014 at 3:10 AM, Shawn <> wrote:

> After an exciting and crazy week. People are getting calm and plan or
> already start to doing audit on their system. But there are something
> you might miss. The older version of OpenSSL( like 0.9.8) might not
> affected by heartbleed issue but it doesn't mean you are secure. Don't
> forget the old OpenSSL are still vulnerable to BEAST( 2011), CRIME(
> 2012), Lucky-thirteen( 2013)[1]. I do believe Lucky-thirteen is far
> more dangerous than heartbleed, we just don't know. Once you start the
> audit, plz upgrade the OpenSSL to the latest version. If you are using
> 0.9.8, plz upgrade to 0.9.8y, which is not vulnerable to Lucky-13
> issue.
> Fix heartbleed issue for website is much easier than the networking
> devices( Firewall, UTM, SSL/IPSEC VPN, etc) and the 3rd-party
> software. This definitely gonna impacting for long term.
> [1]
> --
> GNU powered it...
> GPL protect it...
> God blessing it...
> regards
> Shawn
> _______________________________________________
> Sent through the Full Disclosure mailing list
> Web Archives & RSS:

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists