lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Apr 2014 11:03:38 -0700 From: Ron Bowes <ron@...llsecurity.net> To: Shawn <citypw@...il.com> Cc: fulldisclosure@...lists.org Subject: Re: [FD] Audit: don't only focus on heartbleed issue Are there actually any real-world attack scenarios for BEAST, CRIME, or Lucky-thirteen? Heartbleed has been used in actual legitimate attacks, but those earlier attacks all seem pretty tame in comparison. Worth fixing, of course, but they don't seem *as* critical to me. Ron On Wed, Apr 16, 2014 at 3:10 AM, Shawn <citypw@...il.com> wrote: > After an exciting and crazy week. People are getting calm and plan or > already start to doing audit on their system. But there are something > you might miss. The older version of OpenSSL( like 0.9.8) might not > affected by heartbleed issue but it doesn't mean you are secure. Don't > forget the old OpenSSL are still vulnerable to BEAST( 2011), CRIME( > 2012), Lucky-thirteen( 2013)[1]. I do believe Lucky-thirteen is far > more dangerous than heartbleed, we just don't know. Once you start the > audit, plz upgrade the OpenSSL to the latest version. If you are using > 0.9.8, plz upgrade to 0.9.8y, which is not vulnerable to Lucky-13 > issue. > > Fix heartbleed issue for website is much easier than the networking > devices( Firewall, UTM, SSL/IPSEC VPN, etc) and the 3rd-party > software. This definitely gonna impacting for long term. > > > [1] http://www.isg.rhul.ac.uk/tls/ > > -- > GNU powered it... > GPL protect it... > God blessing it... > > regards > Shawn > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists