[Users] [Bulk] [Half-OT] Re: Thanks for the per-session password!

Kevin Chadwick ma1l1ists at yahoo.co.uk
Tue Apr 22 20:23:04 CEST 2014 

previously on this list Albert ARIBAUD contributed:

> > There was also a lot of rubbish about clients like Android being
> > vulnerable. They contain the vulnerability but unless they are serving
> > data (hosting a website) which I've never heard of then they are not
> > vulnerable to any attack.  
> 
> Sorry for correcting, but yes, OpenSSL *clients* are just as vulnerable 
> as OpenSSL servers.
> 
> <http://heartbleed.com/>
> 
> "Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer 
> security protocols) heartbeat extension (RFC6520). When it is exploited 
> it leads to the leak of memory contents from the server to the client 
> and from the client to the server."

Well I knew the heartbeat was after SSL negotiation but I didn't
realise it ran in both directions and so your memory could be read from
both sides, so thanks for pointing that out but they are not "just as
vulnerable" and this actually means telling people to use ssl more to
change their password is even worse, potentially it is a threat if YOU
connect via openssl to a service which has not updated *AND* is
compromised or untrustworthy or a key has been stolen from the
particular server and your connection can be MITM attacked. 

Especially when your Android devices web browser is likely using NSS or
gnutls.

The main threat is that the server (most use openssl) key may be leaked
by another user performing a legitimate connection and so any data even
from the past if stored but most likely new connections and on an
accessible route can be decrypted. At the same time the likelihood of
server compromise at that time is hugely increased so asking users to
rush out and use SSL whilst putting their passwords in memory is the
worst thing to immediately advise.

-- 
_______________________________________________________________________

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd
_______________________________________________________________________

I have no idea why RTFM is used so aggressively on LINUX mailing lists
because whilst 'apropos' is traditionally the most powerful command on
Unix-like systems it's 'modern' replacement 'apropos' on Linux is a tool
to help psychopaths learn to control their anger.

(Kevin Chadwick)

_______________________________________________________________________

More information about the Users mailing list