[nSLUG] Nasty zero day vulnerability in openssl CVE-2014-0160

Chris R. Thompson chris.thompson at solutioninc.com
Fri Apr 11 06:20:32 ADT 2014


So your softwares old and you dont pay by debit?


Sent via the Samsung Galaxy S™ III, an AT&T 4G LTE smartphone

-------- Original message --------
From: Mike Spencer <mspencer at tallships.ca> 
Date:04/11/2014  2:56 AM  (GMT-04:00) 
To: nslug at nslug.ns.ca 
Subject: [nSLUG] Re: Nasty zero day vulnerability in openssl CVE-2014-0160 


Ben wrote:

> On 04/08/2014 08:37 PM, Mike Spencer wrote:
>
>> So if you're not a bleeding edge updater, Don't Panic. :-) E.g. one
>> report says Slackware 13.37 uses SSH 0.9.8, sans heartbeat. My even
>> older distro also uses 0.9.8.
>
> The downside of that is that 0.9.8 can only do TLS 1.0, which is
> much weaker than TLS 1.2. You should look into upgrading to a
> version of your distro that doesn't have such out of date software,
> as it is more likely to be vulnerable to certain kinds of attack
> (just not this one).

Not to start a protracted argument, but I don't really trust any of
the notionally "secure" protocols.  I admittedly haven't read the
relevant RFCs but I read comp.risks.  I don't do anything over the net
that involves money -- banking, shopping, paypal, for-fee online
services with CC, tax returns -- or life-critical info.  It's unlikely
(albeit not astronomically so) that I'd be personally targeted but
there are repeated failures and foul-ups -- rogue or dubious cert
authorities, bulk data losses from behind encrypted transactions,
zero-day vulns including this latest major one.

If I were contemplating the overthrow of a sovereign state, the purchase
of nuclear weapons or just trying to disappear, I suppose I'd try to
use PGP or GPG combined with steg and some way to defeat traffic
analysis.

And yes, if I were running an open Apache, sendmail or other server,
I'd have to upgrade numerous things that presently only accept contact
from localhost.

As it is, I only marginally understand the mechanism of SSL/TLS and
don't feel I can rely on it to be secure.

I do take various steps to avoid data collection about me by remote
sites but that's mostly another issue.

- Mike

-- 
Michael Spencer                  Nova Scotia, Canada       .~. 
                                                           /V\ 
mspencer at tallships.ca                                     /( )\
http://home.tallships.ca/mspencer/                        ^^-^^
_______________________________________________
nSLUG mailing list
nSLUG at nslug.ns.ca
http://nslug.ns.ca/mailman/listinfo/nslug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20140411/7db4e2e3/attachment.html>


More information about the nSLUG mailing list