[Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)

ik idokan at gmail.com
Sun Apr 27 00:59:59 IDT 2014


On Sat, Apr 26, 2014 at 2:20 PM, Sorana Fraier <sf10095 at gmail.com> wrote:

> There is now a fork by openbsd people for openssl. It's called libressl.
>
> http://www.libressl.org/
>

Why a fork ?!
There are bugs, some of them are set to be security risks, but you can
never avoid bugs.
And when C and C++ are your main programming language, the number of bugs
raises, due to so many reasons such as:
1. memory management (with all of it's issues)
2. In-proper data input
3. hard code to read and understand

etc...

I do think that the heartbleed issue was anything else but a bug, and
rewriting code will not make things less vulnerable for the next big bug
that might exists.

So why do they fork it ?!


>
> They crave for more people to help.
>
>
> On Tue, Apr 15, 2014 at 5:57 AM, Michael Vasiliev <lists at infoscav.net>wrote:
>
>>  If any of you guys and gals think this isn's serious, think twice. The
>> CloudFlare SSL Heartbleed challenge site's SSL key was stolen within hours
>> of being announced. There is a wave of security compromises all over the
>> world and sane CAs are offering free renewals of SSL certificates.
>>
>>
>> On 04/11/2014 08:35 AM, Eli Billauer wrote:
>>
>> Hi all,
>>
>> I suppose that the security freaks already know about this, and still,
>> this seems important enough for an alert.
>>
>> In a nutshell, a bug in the mechanism that allows keepalive messages to
>> be sent to maintain an SSL link, also allows, accidentally, a remote
>> attacker to read a segment of up to 64 kBytes from the server's memory.
>> It's doesn't give access to any chunk of 64 kBytes, but it's a segment
>> which is likely to be dirty with data that belongs to the process
>> running openSSL. So there's a chance that data related to private keys
>> and passwords is revealed this way.
>>
>> See http://en.wikipedia.org/wiki/Heartbleed
>>
>> I haven't found any tool checking a local SSH server, say as source code
>> in C. I suppose it's being avoided for the sake of not supplying the
>> almost-finished attack to script kiddies.
>>
>> Hag Sameah,
>>
>>     Eli
>>
>>
>>
>>
>> _______________________________________________
>> Haifux mailing list
>> Haifux at haifux.org
>> http://haifux.org/mailman/listinfo/haifux
>>
>>
>
> _______________________________________________
> Haifux mailing list
> Haifux at haifux.org
> http://haifux.org/mailman/listinfo/haifux
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://haifux.org/pipermail/haifux/attachments/20140427/f4cdf5a8/attachment.html 


More information about the Haifux mailing list