Resultados 1 a 2 de 2
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    [EN] New Bug Found in Widely Used OpenSSL Encryption

    June 5, 2014 5:10 pm

    Security experts are still trying to plug the hole left by Heartbleed, the bug found in the widely used OpenSSL encryption protocol, with some 12,000 popular domains still vulnerable, according to AVG Virus Labs.

    Now they have something else to worry about. On Thursday, the OpenSSL Foundation issued a warning to users that a decade-old bug that makes it possible for an attacker to conduct a so-called man-in-the-middle attack on traffic encrypted with OpenSSL. The advisory warns users that someone could use the bug to intercept an encrypted connection, decrypt it, and read the traffic.

    Users of OpenSSL are advised to deploy a new patch and upgrade to the latest version of OpenSSL software. The bug was initially discovered by Masashi Kikuchi, a Japanese researcher at Lepidum, a software firm. “Attackers can eavesdrop and make falsifications on your communication when both of a server and a client are vulnerable,” reads an FAQ on Lepidum‘s website.

    Unlike Heartbleed, which could be used to directly exploit any server using OpenSSL, this new bug requires that the attacker be located between two computers communicating. A likely target, for example, would be someone using an airport’s public Wi-Fi.

    The new bug was introduced into OpenSSL when it was first released in 1998, more than 10 years before Heartbleed, which was first introduced in a code update on New Year’s Eve in 2011.

    The fact that the new bug went undetected for so long is another black mark on the management of OpenSSL. The encryption method is open source, meaning it can be reviewed and updated by anyone. Because of that, it is considered more secure and more trustworthy than proprietary code vetted by just one company’s engineers.

    But, in reality, OpenSSL had only one full-time developer and three “core” volunteer programmers in Europe, and operated on a budget of $2,000 in annual donations. This, despite the fact that OpenSSL is used to encrypt the majority of the world’s web servers and widely used by technology companies such as Amazon and Cisco.

    Following the Heartbleed discovery, major companies, including Amazon, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, Qualcomm and VMWare, each pledged $100,000 a year over the next three years to the Core Infrastructure Initiative, a new open source initiative organized by the Linux Foundation to support crucial open-source infrastructure, like OpenSSL.

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    Thanks for nothing OpenSSL, cries stonewalled De Raadt

    By Darren Pauli, 6 Jun 2014

    OpenBSD founder Theo De Raadt said OpenSSL maintainers appeared to have intentionally not informed it about dangerous vulnerabilities found in the platform and patched today.

    The apparent feud stems from the April break away LibreSSL which was forked after developers found the OpenSSL code base to be unacceptably insecure in the wake of the Heartbleed vulnerability.

    LibreSSL would still contain OpenSSL vulnerabilities such as the most recent DTLS invalid fragmentation bug (CVE-2014-0195) and rely on early tip offs to ensure it could build a patch for the day of public disclosure.

    That bug was one of six to affect OpenSSL which permitted eavesdropping on encrypted connections and the implanting of malware on vulnerable systems.

    Disclosure to LibreSSL did not happen leading De Raadt to claim it was part of deliberate stone-walling.

    "Most other operating system vendors have patches available, but that is because they were (obviously) given a heads up to prepare them over the last few days," De Raadt wrote in a mailing list post.

    "Unfortunately I find myself believing reports that the OpenSSL people intentionally asked others for quarantine (of the bug), and went out of their way to ensure this information would not come to OpenBSD and LibreSSL.

    "There, I've said it."

    From an ethical standpoint, developers did not need to inform those dependent on vulnerable code of any bugs found ahead of public disclosure but must inform all critical players if they chose to do so and not "specifically exclude a part of the community", he said.

    His statements were met with some criticism centered on the original decision to fork OpenSSL rather than working with developers to improve its security.

    At the time
    , De Raadt took abundant critism of apparent OpenSSL security checks due to insufficient resources further by stating the platform was "not developed by a responsible team".

    The LibreSSL project aimed to substaintially rewrite the OpenSSL codebase. Thousands of lines of "unneeded" code were deleted while individual source files were rewritten in kernel normal form used by BSD operating systems.

    It was planned for incorporation into BSD version 5.6 scheduled for release in November.

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens