[Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)
idokan at gmail.com
Sun Apr 27 00:59:59 IDT 2014
On Sat, Apr 26, 2014 at 2:20 PM, Sorana Fraier <sf10095 at gmail.com> wrote:
> There is now a fork by openbsd people for openssl. It's called libressl.
Why a fork ?!
There are bugs, some of them are set to be security risks, but you can
never avoid bugs.
And when C and C++ are your main programming language, the number of bugs
raises, due to so many reasons such as:
1. memory management (with all of it's issues)
2. In-proper data input
3. hard code to read and understand
I do think that the heartbleed issue was anything else but a bug, and
rewriting code will not make things less vulnerable for the next big bug
that might exists.
So why do they fork it ?!
> They crave for more people to help.
> On Tue, Apr 15, 2014 at 5:57 AM, Michael Vasiliev <lists at infoscav.net>wrote:
>> If any of you guys and gals think this isn's serious, think twice. The
>> CloudFlare SSL Heartbleed challenge site's SSL key was stolen within hours
>> of being announced. There is a wave of security compromises all over the
>> world and sane CAs are offering free renewals of SSL certificates.
>> On 04/11/2014 08:35 AM, Eli Billauer wrote:
>> Hi all,
>> I suppose that the security freaks already know about this, and still,
>> this seems important enough for an alert.
>> In a nutshell, a bug in the mechanism that allows keepalive messages to
>> be sent to maintain an SSL link, also allows, accidentally, a remote
>> attacker to read a segment of up to 64 kBytes from the server's memory.
>> It's doesn't give access to any chunk of 64 kBytes, but it's a segment
>> which is likely to be dirty with data that belongs to the process
>> running openSSL. So there's a chance that data related to private keys
>> and passwords is revealed this way.
>> See http://en.wikipedia.org/wiki/Heartbleed
>> I haven't found any tool checking a local SSH server, say as source code
>> in C. I suppose it's being avoided for the sake of not supplying the
>> almost-finished attack to script kiddies.
>> Hag Sameah,
>> Haifux mailing list
>> Haifux at haifux.org
> Haifux mailing list
> Haifux at haifux.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Haifux