If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Krebs On Security)   Apparently the "Open" part of OpenSSL refers to the hole big enough for trucks full of your website's secret data   (krebsonsecurity.com) divider line 4
    More: Fail, OpenSSL, trucks, private keys, encryption, ammunition dump, bugs, certifications  
•       •       •

993 clicks; posted to Geek » on 08 Apr 2014 at 6:33 PM (20 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



Voting Results (Smartest)
View Voting Results: Smartest and Funniest

ZAZ [TotalFark]
2014-04-08 06:36:00 PM
2 votes:
Maybe I should elaborate. Look at the code on meyerkev's link.

It's written in the style of the 1980s, when instructions per byte was thought importantl. Many computers couldn't saturate a 10 Mbps ethernet connection. Zero copy was a big deal. Scatter-gather interfaces were almost as good as a woman to a hacker. You didn't translate network blobs into a memory representation, the network blob WAS the memory representation. You cheered when you realized that the wraparound checksum commuted with ntohs, because that noths represented an instruction, or several if you were on a RISC instead of a VAX.

But now for most purposes you can afford to translate network format to a convenient host format, work on that, and undo the transformation to send a reply. It costs you a few cycles, but those are almost free. Cache misses aren't cheap, but writing to the stack doesn't add any cache misses.

In that host format you can have an explicit field length. In any language but C a variable length field is a bounds checked array. In C at least you have a length field that reminds you to be careful.

Some things are still data intensive and demand ugly code, but for a control instead of data message even I, who loved saving bytes and cycles in decades past, will translate into a more useful and safer format.
2014-04-08 10:18:30 PM
1 votes:
Too bad the open source fanboys are more interested in trolling forums than actually looking at code.
2014-04-08 08:11:40 PM
1 votes:
I read it on Ars this morning so I checked our security reports...we have 4 servers on our team with OpenSSL.  So I go to the site to download and update....and it's farked...all day...

I feel bad for those that had websites with it...they have to do more than just replace the binaries.  From Ars:

"The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there's no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises. "
2014-04-08 05:19:19 PM
1 votes:

Ivo Shandor: So does the NSA get credit for this one, or was it a legitimate 'oops'?


Technical details here:  http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bu g .html

As best as I can tell, it was an oops.  They never quite thought about the interaction of a poorly behaved client and certain malloc* implementations.

* I need a piece of memory of size X.

/Of course, the best NSA bugs look like oops.  So consult your internal conspiracy theorist.
//Seriously though, we call them bugs because no one can admit to making that many mistakes.
 
Displayed 4 of 4 comments

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report