Found vulnerability in OpenSSL 1.0.1 through 1.0.1f

[Vodsel]

To whom it may concern (most likely Trav is aware of this already):

A serious vulnerability in the OpenSSL library was found and reported yesterday, April 7th - The Heartbleed Bug.

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

Fix requires update to OpenSSL 1.0.1g - Statement by OpenSSL project

 

[The Traveler]

To whom it may concern (most likely Trav is aware of this already):

Luckily we do not do anything with the OpenSSL library.


Kind regards,

The Traveler

 

[cyb]

Report: NSA knew about Heartbleed bug and took advantage of it, but the NSA denies the charge.

The National Security Agency has known about the Heartbleed bug, which has compromised two-third of the world’s websites, for over two years, and has been actively trying to exploit it, according to reports. However, not long after the report surfaced, the NSA denied knowing about the bug before the public did, and called the reports “wrong.”

Source

 

[Ufostrahlen]

That is why you want Forward Secrecy in your cipher suite. If the key for one session is corrupted, past sessions can't be reconstructed, since with Forward Secrecy the keys are negotiated every single session.

The Nexus uses Forward Secrecy and the Schannel library, not the OpenSSL library. Which may be beneficial, maybe not. OpenSSL is open, Schannel is closed.

The question is: has Schannel a back-door, too? Or are the random number generators in Windows compromised, so reconstruction is easy with huge data centers? Nobody can tell, as the source code isn't open.

Which leads to the ultimate question: has the NSA forced Microsoft to corrupt their random number generators or their cipher library? And sign a non-disclose agreement because of "national security" by "court" order?

The NSA _did_ corrupt RSA, which core business is data security:

http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331

TL;DR: be careful with your online activity, current events prove that computer security is under attack daily.

 

[bindu]

To whom it may concern (most likely Trav is aware of this already):

Luckily we do not do anything with the OpenSSL library.


Kind regards,

The Traveler

As if luck has anything to do with it...

 

[Ufostrahlen]

The question is: has Schannel a back-door, too?

Microsoft Security Bulletin MS14-066 - Critical :lol:

The good news: no big headlines in the mainstream media!1! Folks, nothing to see here, move along!

 

[1ce]

The question is: has Schannel a back-door, too?

Microsoft Security Bulletin MS14-066 - Critical :lol:

The good news: no big headlines in the mainstream media!1! Folks, nothing to see here, move along!

I know of a SoF and remote code exploit that are both unpatched.