Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Wired : Heartbleed Redux: Another Gaping Wound In Web Encryption Uncovered

Nariman Gharib nariman.gh at gmail.com
Thu Jun 5 08:59:47 PDT 2014


FYI!

http://www.wired.com/2014/06/heartbleed-redux-another-gaping-wound-in-ssl-uncovered

"  “This vulnerability allows malicious intermediate nodes to intercept
encrypted data and decrypt them while forcing SSL clients to use weak keys
which are exposed to the malicious nodes,” reads an FAQ published by
Kikuchi’s employer, the software firm Lepidum
<http://ccsinjection.lepidum.co.jp/>. Ashkan Soltani, a privacy researcher
who has been involved in analyzing the Snowden NSA leaks for the NSA and
closely tracked SSL’s woes, offers this translation: “Basically, as you and
I are establishing a secure connection, an attacker injects a command that
fools us to thinking we’re using a ‘private’ password whereas we’re
actually using a public one.”

Unlike the Heartbleed flaw, which allowed anyone to directly attack any
server using OpenSSL, the attacker exploiting this newly discovered bug
would have to be located somewhere between the two computers communicating.
But that still leaves open the possibility that anyone from an eavesdropper
on your local Starbucks’ network to the NSA to strip away your Web
connection’s encryption before it’s even initialized.

According to a blog post by Kikuchi
<http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html>,
the flaw has existed since the very first release of OpenSSL in 1998. He
argues that despite the widespread dependence on the software and its
recent scrutiny following the Heartbleed revelation, OpenSSL’s code still
hasn’t received enough attention from security researchers. “The biggest
reason why the bug hasn’t been found for over 16 years is that code reviews
were insufficient, especially from experts who had experiences with TLS/SSL
implementation,” he writes. “They could have detected the problem.”
​ "

http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html
​



-- 
PGP: 084F 95C0 BD1B B15A 129C 90DB A539 6393 6999 CBB6
www.NARIMAN.Tel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140605/8151e959/attachment.html>


More information about the liberationtech mailing list