[NTLUG:Discuss] Critical crypto bug

Carl Haddick sysmail at glade.net
Mon Apr 7 15:10:05 CDT 2014 

I'm not very well read in cryptography, which is thorough ignorance on my
part.

Maybe as more people learn about crypto the world will get safer.

For instance, I didn't know until recently that every normal https dialog
with a given server always uses the same encryption key. I thought there was
a session key involved, but it's trivial - once you get the server's
certificate - to use Wireshark to review a decrypted https session from
anywhere you can capture the packets.

I had no idea it was that easy.

Probably time for me to learn a little more, and see how the things I trust
(ssh, for example) work. The details might be good to know.

Mode 600 for certs is pretty good advice, I guess. :-)

Carl



> -----Original Message-----
> From: Discuss [mailto:discuss-bounces at ntlug.org] On Behalf Of Greg Edwards
> Sent: Monday, April 07, 2014 11:25 AM
> To: NTLUG Discussion List
> Subject: Re: [NTLUG:Discuss] Critical crypto bug
> 
> Big time OOPS!!
> 
> Note to all programmers, NEVER use goto!!  IMHO "goto" should be removed
> from every programming language known man.
> 
> Greg
> http://greg.edwards-tx.us
> 
> 
> Fred wrote:
> > http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-lin
> > ux-hundreds-of-apps-open-to-eavesdropping/
> >
> > by Dan Goodin - Mar 4 2014
> >
> > Hundreds of open source packages, including the Red Hat, Ubuntu, and
> > Debian distributions of Linux, are susceptible to attacks that
> > circumvent the most widely used technology to prevent eavesdropping on
> > the Internet, thanks to an extremely critical vulnerability in a
> > widely used cryptographic code library.
> >
> > The bug in the GnuTLS library makes it trivial for attackers to bypass
> > secure sockets layer (SSL) and Transport Layer Security (TLS)
> > protections available on websites that depend on the open source
> > package. Initial estimates included in Internet discussions such as
> > this one indicate that more than 200 different operating systems or
> > applications rely on GnuTLS to implement crucial SSL and TLS
> > operations, but it wouldn't be surprising if the actual number is much
> > higher. Web applications, e-mail programs, and other code that use the
> > library are vulnerable to exploits that allow attackers monitoring
> > connections to silently decode encrypted traffic passing between end
> > users and servers.
> >
> > Read the rest at the link above
> >
> > _______________________________________________
> > http://www.ntlug.org/mailman/listinfo/discuss
> >
> 
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss

More information about the Discuss mailing list