We have detected that cookies are not enabled on your browser. Please enable cookies to ensure the proper experience.
Page 2 of 2 FirstFirst 1 2
Results 26 to 29 of 29
  1. #26
    Quote Originally Posted by Mar-Evayave View Post
    (snip)
    On the other hand, it strikes me as a bit brain-dead to publicly announce an issue in that manner. Wouldn't they want to first keep it hush-hush, scramble to put together a patch, verify the patch is gonna work, and then go public as the update is distributed? That reduces the amount of time the bad guys have to work with, keeping any potential problems to a minimum. After that point, if services are too slow to update, then it's sorta their own fault if they got hacked. It seems they would want to implement the fix asap, rather than procrastinate.
    (snip)
    If you are referring to the OpenSSL project's announcement of Heartbleed then you should be aware that they did not advertise the Zero-Day Exploit UNTIL they had determined a fix for it. Thankfully the fix was pretty easy to make inside the project.

    They needed to advertise it so that all the companies who just download the source code themselves and compile it (it's open source) would know to do so again and get the latest patch.

    As open source they don't have a list of customers they can send secured emails to, it's available to anyone, anywhere to download, compile and use.
    Whoever says “I” creates the “you.” Such is the trap of every conscience. The “I” signifies both solitude and rejection of solitude. Words name things and then replace them. Whoever says tomorrow, denies it. Tomorrow exists only for him who does not seek it. And yesterday? Yesterday is Kolvillàg: a name to forget, a word already forgotten.

    The Oath: A Novel by Elie Wiesel

  2. #27
    Join Date
    Apr 2008
    Location
    The Highlands of Scotland
    Posts
    5,414
    Quote Originally Posted by thinx View Post
    Servers with fixed heartbleed but old certificates/keys expose the client-server connection with every login.
    Only partially true. If the systenm used to be vulnerable, and its certificate was created while it was vulnerable, then it needs to be updated.

    However, if the system was never vulnerable, because it never updated to a version of openSSL that had the heartbleed bug, then the certificate is a good as it ever was.

    RHEL5 and Centos5 based systems were never automatically updated to a vulnerable version of openSSL, so unless they were manually updated, they have never been vulnerable.
    TANSTAAFL

  3. #28
    Join Date
    Apr 2011
    Location
    Michigan
    Posts
    4,920
    Quote Originally Posted by SabrielofLorien View Post
    If you are referring to the OpenSSL project's announcement of Heartbleed then you should be aware that they did not advertise the Zero-Day Exploit UNTIL they had determined a fix for it. Thankfully the fix was pretty easy to make inside the project.

    They needed to advertise it so that all the companies who just download the source code themselves and compile it (it's open source) would know to do so again and get the latest patch.

    As open source they don't have a list of customers they can send secured emails to, it's available to anyone, anywhere to download, compile and use.
    That's a relief. I didn't know exactly what their timeline was. If all companies were smart and acted immediately (again, another thing that would be brain-dead of them if they didn't) then that narrows the window of opportunity even further. Of course, there is always the matter of whether or not the issue was exploited in the last 2 years, but I guess we will simply never know the extent of the damage.
    R5 100 GRD Marevayave - Leader of Riddermarked For Death
    R8 100 MNS Fayah/100 LM Siennah/100 HNT Dinenol/100 RK Dhurik
    100 CHN Alachas/85 CPT Dinfaerien/60 BUR Dhax/35 WDN Godoric
    R9 100 MNS Fayeh (alt Wilya) - Lonely Mountain Band @ Landroval

  4. #29
    The long story, to my best knowledge. Only for affected servers.
    Quote Originally Posted by mjk47 View Post
    Only partially true. If the systenm used to be vulnerable, and its certificate was created while it was vulnerable, then it needs to be updated.
    The certificate is bound to the public server key, which is bound to the private server key, which is retrievable using heartbleed (proven today). If the private key is changed, the public key in the certificate needs to change, therefore the certificate needs to be updated.

    A certificate just validates itself and the information it contains. This is the server name (domain or ip), the time frame and the server's public key. The identy of the server is just validated as this server is able to decrypt the session key that was encrypted with the public key within the certificate - which is something a fake server would not be able to do. Once the private server key is known, the situation is different and only domain/ip are "protecting" you against fake servers. This is no real protection (e.g. hijacked routers or gateways).
    However, all of this is not needed at all, as a person able to set up a man in the middle can also set up a listener and have exactly the same benefit - once the private keys are known.

    Quote Originally Posted by mjk47 View Post
    However, if the system was never vulnerable, because it never updated to a version of openSSL that had the heartbleed bug, then the certificate is a good as it ever was.
    The term "fixed" does not apply to servers that were not fixed.

 

 
Page 2 of 2 FirstFirst 1 2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

This form's session has expired. You need to reload the page.

Reload