![]() ![]() I had look at the RFC and original thesis where the (D)TLS heartbeat extension was proposed ( page 66) and it makes me a bit frustrated. So, which bugs can be expected in these closed source crypto libraries from Microsoft, if openssl has bugs like heartbleed? ACHTUNG!!! this is a special hack for IBM antivirus software Private\inet\wininet\urlcache\filemgr.cxx: Private\inet\mshtml\src\site\layout\flowlyt.cxx: Private\inet\mshtml\src\other\moniker\resprot.cxx: Private\inet\mshtml\src\core\cdutil\genutil.cxx: HACK! HACK! HACK! (MohanB) In order to fix #64710 at this very late Private\inet\mshtml\src\core\cdbase\baseprop.cxx: In that Microsoft code seem to be comments like Has somebody looked at that? Perhaps by looking at that, one can tell what the nsa key really is for. I see that one can (illegally) get parts of the windows 2000 sourcecode on piratebay. ![]() So the nsa might know the windows sourcecode, but we do not, thereby the nsa has it very easy when they make exploits for microsoft crypto functions. Otherwise, microsoft could not export windows. ![]() With microsoft, the nsa even has an enormous advantage: Microsoft itself claims that it had to give important design information of the crypto libraries to the nsa for reviewing. They might contain similar bugs, but since they are closed source, there are far less chances that bugs in Microsoft Internet Information Server, Microsoft Crypto API, and Microsoft Schannel get fixed. I’m actually more disturbed by the microsoft closed source crypto libraries. And a german programmer as an nsa agent sounds a bit far reaching. Also, people simply write stupid code sometimes. Perhaps it is indeed irelevant whether the bug was deliberately placed or not, since it may be used nevertheless. Tags: Internet, keys, man-in-the-middle attacks, passwords, patching, SSL, vulnerabilities, web, zero-dayĪp6:21 Andrakakis, see the comments here and the following ones: If nothing really bad happens-if this turns out to be something like the Y2K bug-then we are going to face criticisms of crying wolf.ĮDITED TO ADD (4/11): Brian Krebs and Ed Felten on how to protect yourself from Heartbleed. Possible evidence that Heartbleed was exploited last year.ĮDITED TO ADD (4/10): I wonder if there is going to be some backlash from the mainstream press and the public. And I’m not sure we have anything close to the infrastructure necessary to revoke half a million certificates. XKCD cartoon.ĮDITED TO ADD (4/9): Has anyone looked at all the low-margin non-upgradable embedded systems that use OpenSSL? An upgrade path that involves the trash, a visit to Best Buy, and a credit card isn’t going to be fun for anyone.ĮDITED TO ADD (4/10): I’m hearing that the CAs are completely clogged, trying to reissue so many new certificates. Hacker News thread is filled with commentary. My guess is accident, but I have no proof. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected.Īt this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. Half a million sites are vulnerable, including my own. And you have to assume that it is all compromised. This means that anything in memory-SSL private keys, user keys, anything-is vulnerable. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.īasically, an attacker can grab 64K of memory from a server. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. “The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. Heartbleed is a catastrophic bug in OpenSSL: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |