[BlueOnyx:15143] Re: OpenSSL (CenOS-6.5/SL-6.5) CVE-2014-0160
Michael Stauber
mstauber at blueonyx.it
Tue Apr 8 17:50:16 -05 2014
Hi Dan,
> AFAIK OpenSSH is not affected by the OpenSSL bug. While OpenSSH does use
> OpenSSL for some key-generation functions, it doesn't use the TLS
> protocol or the TLS heartbeat extension.
Yeah. But I'm not taking chances on this. Also, I laid off regeneration
of longer SSH key-pairs for quiet a bit due to the required hassles. So
this time was as good as any to get it finally sorted.
> Re-keying SSL certs is a *very* good idea and I'm doing the same for
> myself and all my customers keys. It's one hell of a pain though.
It sure is.
> The other thing I want to point out is session keys. I'd highly advise
> resetting all session keys and forcing everyone to log back in again.
Good point. As far as the BlueOnyx goes that's in the clear, though. The
GUI session keys expire after 60 minutes of inactivity. But it all
depends on the application. Other pages that use session keys might not
expire them at all. Which is a security sin in first place, tbh.
> I bet Apple are feeling smug right now
Ah, I wouldn't be so sure of that. Android isn't off much better there
either. There are some legacy Android versions that won't get patched
unless the respective vendors get off their collective behinds and
Android also had their own SSL-gate with apps not following the
established procedures of verifying SSL certs. Then there is the huge
quantity of affected routers and other "black box" devices affected by
this SSL issue in one form or other. It's pretty sad that so much of the
nets security rests on such a piece of crap as OpenSSL.
I think Google is feeling pretty smug right now and rightfully so. AFAIK
Google developers found this bug.
Now think about this: I'm wondering if it's really a clever idea to to
have Eric Rescorla working on the development of the TLS protocol. After
all, that's the guy who's responsible for the NSA backdoor in the Dual
EC DRBG algorithm.
See:
http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331
https://tools.ietf.org/html/draft-rescorla-tls13-new-flows-01
He's also the one who had committed that crappy piece of code that did
lead to this issue to begin with.
While CVE-2014-0160 looks like a bug and smells like a bug, I wouldn't
wonder if it is a little more than. If so, then the Google guys just
crashed the NSA's party. Payback is a bitch. :-)
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list