[ Date Index ]
[ Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
- To: list@xxxxxxxxxxxxx
- Subject: Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
- From: Martijn Grooten <martijn@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 8 Apr 2014 20:07:41 +0000
- Content-disposition: inline
- Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1396810045; h=Sender:Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Reply-To:Subject:In-Reply-To:MIME-Version:References:Message-ID:To:From:Date; bh=AOZVIy4BgmUrJDDbYuemq7V9fbFoV7k+QNOciVxnyac=; b=qN7UmZ+bGk905X1JGAzCsfKze8EF66wR6RnOTHutXcTltMkF8xa7QJ0Q2xnHdo6cIKUYL1AuzgS+nymxYJxe3MPNpBB5DySiD11rnuJZ7qi4p3Zm3z9VFQ8PpMCj+Lx4QRWnYvVfZAkwYxjWBzAwXg3qYDPt0rBo1vcw77q07As=;
- Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lapsedordinary.net; s=mail; t=1396987661; bh=uqKkDgA5LPHnz32ujfcD6PjtXrVqigI9TVK/8X4OJy8=; h=Date:From:To:Subject:Message-ID:References:MIME-Version: Content-Type:In-Reply-To; b=lRUT4EpgaBSITTCvxoUuAdY5u0tGt25Sk/0Nti1NgP3tme5gJPFvtMTkyxFgINF6Z DbkkX+xV0mlCovwoF8KMzsKhIHyEM8FfjvB+OQBoX/tsJQU9fX3vHFt73xz3dqN039 YpYsyuuWBaPPtaWMKoP9yGcT/otFoqVmhpa6R74E=
On Tue, Apr 08, 2014 at 08:46:09PM +0100, bad apple wrote:
> Simon also understands why PFS is a *major* mitigation factor in this
> debacle, not sure why everyone else didn't immediately grasp the value
> of it.
Everyone else = me.
I don't think PFS prevents the leaking of usernames and passwords
submitted to a web server (as in: the process). Or that it means
someone with the private key for your X.509 certificate can't do any
harm with it. Or that other sensitive information handled by the server.
I agree not using PFS makes this vulnerability even worse. It's just so
bad even with PFS.
> So, what do you all think then? Worst bug in recent history? I'd have to
> go back a fair way to think of something nastier or more widespread than
> this.
I wouldn't know what else deserves that label.
Martijn.
--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq