Wednesday, April 09

Geek

Dodging Bullets

First Apple's SSL library had a serious security flaw, but that's okay because I don't use Apple's SSL.  (I have an iPad, but it mostly just sits there.)

Then GnuTLS had a worse security flaw, but that's okay because I use OpenSSL.

Then OpenSSL had the worst security flaw of them all...  But that's okay because the version of OpenSSL we're using here is older than the bug.

I will wipe and reinstall a couple of virtual machines that don't have user data on them yet, just in case.

Of course, while mee.nu was secure* Amazon, Google, and any number of other providers have been exposed to this bug to varying degrees for two years.**  And the nature of the bug is such that attacks would not show up in normal server logs; it's a silent, pseudo-random data leak.

* Entirely because I've been too busy to migrate to a newer version of Linux and install proper certificates, not because of any specific virtue.

** It's been a busy two years.  Seriously.  I don't want to talk about it.

Posted by: Pixy Misa at 02:50 PM | Comments (13) | Add Comment | Trackbacks (Suck)
Post contains 181 words, total size 2 kb.

1 Isn't it the case that this wasn't so much a bug as it was a deliberately-inserted exploit?

Posted by: Steven Den Beste at Wednesday, April 09 2014 03:57 PM (+rSRq)

2 No clear evidence of that.  For GnuTLS and OpenSSL, it's open source and the changes are tracked, so we know exactly who introduced the bug and when.

The Apple bug is a bit dubious, since the specific bug should have been detected immediately by any code analysis tool or even the programmer's IDE (it left unreachable code), but again, no clear evidence that it was deliberate.

Posted by: Pixy Misa at Wednesday, April 09 2014 04:04 PM (PiXy!)

3 I wonder how long NSA has known about it.

Posted by: Steven Den Beste at Thursday, April 10 2014 01:42 AM (+rSRq)

4 Thanks for that Pixy...I'm always skeptical of sites that claim to test ones Mac...having one recommended by you was a big relief. 

Posted by: The Brickmuppet at Thursday, April 10 2014 10:47 AM (DnAJl)

5

Apparently NSA knew about it a couple of years ago.

Posted by: Steven Den Beste at Saturday, April 12 2014 06:11 AM (+rSRq)

6 Well, who are you going to believe, a mainstream media outlet citing anonymous sources, or the NSA?

Tough call.  If it's possible for them to both be lying, that's the way to bet.

Posted by: Pixy Misa at Saturday, April 12 2014 03:24 PM (PiXy!)

7

It turns out that the bug was included in Android 4.1.1.

I'm relieved to see that my phone is Android 4.2.2.

Posted by: Steven Den Beste at Tuesday, April 15 2014 01:57 AM (+rSRq)

8 BTW, just fended off a massive spam attack last night. But now my comments sidebar is wrong.

Posted by: Mauser at Tuesday, April 15 2014 06:55 AM (TJ7ih)

9 Usually it gets straightened out on the first new comment.

Posted by: Steven Den Beste at Tuesday, April 15 2014 10:20 AM (+rSRq)

10 I'll run my fixup script.

Posted by: Pixy Misa at Tuesday, April 15 2014 06:15 PM (PiXy!)

11 Thanks, making new comments wasn't working. Nor was deleting them.

Wondering if it's safe to open up commenting again....  They really stomped on my page HARD for hours.

Posted by: Mauser at Tuesday, April 15 2014 08:27 PM (TJ7ih)

12 I just blocked an entire hosting company (OVH) at the firewall for persistent spam from their customers. Hoping that will help.

Posted by: Pixy Misa at Wednesday, April 16 2014 01:15 PM (PiXy!)

13 I don't know how to tell.  Although it looks like Brickmuppet just got hit.

Posted by: Mauser at Wednesday, April 16 2014 08:12 PM (TJ7ih)

Hide Comments | Add Comment

Comments are disabled. Post is locked.
50kb generated in CPU 0.0229, elapsed 0.5099 seconds.
56 queries taking 0.5013 seconds, 356 records returned.
Powered by Minx 1.1.6c-pink.