Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 17 Sep 2014, 05:47
All times are UTC - 4
 Forum index » Off-Topic Area » Security
OpenSSL software risk
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 2 [21 Posts]   Goto page: 1, 2 Next
Author Message
cthisbear

Joined: 29 Jan 2006
Posts: 3411
Location: Sydney Australia

PostPosted: Tue 08 Apr 2014, 17:10    Post subject:  OpenSSL software risk  

Newly discovered encryption flaw a 'big deal', say security experts.

http://www.smh.com.au/it-pro/security-it/newly-discovered-encryption-flaw-a-big-deal-say-security-experts-20140408-zqsb0.html

" With access to the private key, an attacker is able to impersonate a
web server, while still showing a user their connection is encrypted by displaying a golden padlock in their web browser.

The padlock, together with the letters https in a web address, are the indications web users look for to be assured a site is safe and transmitting their data securely. "

Chris.
Back to top
View user's profile Send private message 
version2013

Joined: 08 Sep 2013
Posts: 79

PostPosted: Tue 08 Apr 2014, 22:30    Post subject: heartbleed bug  

a relevant thread:
CVE-2014-0160 OpenSSL Heartbleed
Back to top
View user's profile Send private message Visit poster's website 
ThoriumBlvd


Joined: 04 Oct 2013
Posts: 138
Location: N.E. USA

PostPosted: Wed 09 Apr 2014, 00:00    Post subject:
Subject description: What version do I have?
 

After doing basic reading here including the software site, it appears that there is a weaving of versions 1.0.1 and 1.0.0. I am not consoled by the fact that my own usr/bin/openssl reports when properties are checked that its version 1 (SYSV). The date of record in this Puppy is Mar.4 '13, which does not exclude certain veersions of either 101 or 100.

is there another way to verify the version?

*** Thanks for code mine is 101e... I need the update. ***

PPM has 101g in Package Updates-Slackware

_________________
.

Last edited by ThoriumBlvd on Thu 10 Apr 2014, 04:46; edited 2 times in total
Back to top
View user's profile Send private message 
Semme

Joined: 07 Aug 2011
Posts: 3880
Location: World_Hub

PostPosted: Wed 09 Apr 2014, 02:22    Post subject:  

Wink Couldn't be easier.
Code:
openssl version
Back to top
View user's profile Send private message 
mcewanw

Joined: 16 Aug 2007
Posts: 2345
Location: New Zealand

PostPosted: Wed 09 Apr 2014, 16:56    Post subject:  

Yes, a serious bug - people are being advised to change passwords (assuming openssl has been patched to fix the vulnerability) - some banks use openssl...

http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html

http://heartbleed.com/

_________________
Non enim propter gloriam, diuicias aut honores pugnamus set propter libertatem solummodo quam Nemo bonus nisi simul cum vita amittit.
Back to top
View user's profile Send private message Visit poster's website 
ThoriumBlvd


Joined: 04 Oct 2013
Posts: 138
Location: N.E. USA

PostPosted: Thu 10 Apr 2014, 03:27    Post subject:
Subject description: Check for vunerability
 

The following site will check for vunerability

http://possible.lv/tools/hb/

_________________
.
Back to top
View user's profile Send private message 
Terryphi


Joined: 02 Jul 2008
Posts: 760
Location: West Wales, Britain.

PostPosted: Thu 10 Apr 2014, 10:57    Post subject:  

Versions of openssl before 1.0.1 do not have the heartbleed vulnerability.

Racy and Wary use version 0.9.8 and definitely do not suffer from this vulnerability. Smile

Beyond that it is hard to clarify the facts from the media hysteria. Linux servers using openssl 1.0.1 were in danger of leaking usernames and passwords from memory. Whether this is relevant to openssl on home computers running Linux I do not know. Does anyone?

_________________
Classic Opera 12.16 browser SFS package for Precise, Slacko, Racy, Wary, Lucid, Quirky, etc available here Smile
Back to top
View user's profile Send private message Visit poster's website 
ThoriumBlvd


Joined: 04 Oct 2013
Posts: 138
Location: N.E. USA

PostPosted: Thu 10 Apr 2014, 15:43    Post subject:  

I'd rather be safe than sorry. delta-version here.

BTW this got me looking at the certs in FF23. All the server certs were NG, and a couple of google-related were expired and tossed.

_________________
.
Back to top
View user's profile Send private message 
Sylvander

Joined: 15 Dec 2008
Posts: 3444
Location: West Lothian, Scotland, UK

PostPosted: Thu 10 Apr 2014, 17:02    Post subject:  

http://possible.lv/tools/hb/

Load your SSL site into the page loaded at the above link to test.

What you want to see:
"TLS extension 15 (heartbeat) seems disabled, so your server is probably unaffected."

My banking website tested OK. Very Happy
Back to top
View user's profile Send private message 
Terryphi


Joined: 02 Jul 2008
Posts: 760
Location: West Wales, Britain.

PostPosted: Thu 10 Apr 2014, 23:57    Post subject:  

This test site gives lots of data:

https://www.ssllabs.com/ssltest/analyze.html

_________________
Classic Opera 12.16 browser SFS package for Precise, Slacko, Racy, Wary, Lucid, Quirky, etc available here Smile
Back to top
View user's profile Send private message Visit poster's website 
8-bit


Joined: 03 Apr 2007
Posts: 3368
Location: Oregon

PostPosted: Fri 11 Apr 2014, 01:03    Post subject:  

If I have updated openssl on Puppy and I connect to a site whose server is still using an older version, which takes priority?
In other words, would I still be at risk to the heartbleed problem?
Back to top
View user's profile Send private message 
Terryphi


Joined: 02 Jul 2008
Posts: 760
Location: West Wales, Britain.

PostPosted: Fri 11 Apr 2014, 02:30    Post subject:  

8-bit wrote:
If I have updated openssl on Puppy and I connect to a site whose server is still using an older version, which takes priority?
In other words, would I still be at risk to the heartbleed problem?


Quote from openssl developers:

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.


As far as I can see the problem is mainly at the server so that is the openssl version that matters - but I may be wrong! What if you have an insecure version of openssl on your PC? Well, even if it is possible to read your (very) recently used passwords from 64K of memory on your PC you would have to be persuaded to connect to a secure https site containing specially constructed malware to read it. Check any https site using https://www.ssllabs.com/ssltest/analyze.html before you visit it. Most reputable sites have now been fixed.

_________________
Classic Opera 12.16 browser SFS package for Precise, Slacko, Racy, Wary, Lucid, Quirky, etc available here Smile
Back to top
View user's profile Send private message Visit poster's website 
mikeb


Joined: 23 Nov 2006
Posts: 8252

PostPosted: Fri 11 Apr 2014, 08:17    Post subject:  

Are you telling me my crusty old distros and rusty software are actually SAFER in this respect?!!!

Old devs never die but they do retire. The bunnies writing today's code are not necessarily as sharp as their predecessors or fully realise the implications of techniques that have been previously used.
I suppose that applies generally not only in software... but mozilla does come to mind.

mike
Back to top
View user's profile Send private message 
8-bit


Joined: 03 Apr 2007
Posts: 3368
Location: Oregon

PostPosted: Fri 11 Apr 2014, 12:12    Post subject:  

Just for curiosity, I checked the server that hosts this forum which I think is GoDaddy.com.
It showed two different addresses with one getting a "B" grade and the other showing a red "F" for fail!
So.... Are our passwords at risk on this forum?
Back to top
View user's profile Send private message 
Terryphi


Joined: 02 Jul 2008
Posts: 760
Location: West Wales, Britain.

PostPosted: Sat 12 Apr 2014, 01:52    Post subject:  

8-bit wrote:
Just for curiosity, I checked the server that hosts this forum which I think is GoDaddy.com.
It showed two different addresses with one getting a "B" grade and the other showing a red "F" for fail!
So.... Are our passwords at risk on this forum?


Do you connect via https? Usual address quoted is unencrypted (http).

Quotes from SSL Report: ip-208-109-22-214.ip.secureserver.net :

This server is not vulnerable to the Heartbleed attack.

This server does not mitigate the CRIME attack. See https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls

It fails other tests because the certificates expired 5 years ago.


I would not choose Go Daddy as a host if I needed a secure server!

_________________
Classic Opera 12.16 browser SFS package for Precise, Slacko, Racy, Wary, Lucid, Quirky, etc available here Smile
Back to top
View user's profile Send private message Visit poster's website 
Display posts from previous:   Sort by:   
Page 1 of 2 [21 Posts]   Goto page: 1, 2 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0774s ][ Queries: 11 (0.0050s) ][ GZIP on ]