FYI! http://www.wired.com/2014/06/heartbleed-redux-another-gaping-wound-in-ssl-uncovered
" “This vulnerability allows malicious intermediate nodes to intercept encrypted data and decrypt them while forcing SSL clients to use weak keys which are exposed to the malicious nodes,” reads an FAQ published by Kikuchi’s employer, the software firm Lepidum <http://ccsinjection.lepidum.co.jp/>. Ashkan Soltani, a privacy researcher who has been involved in analyzing the Snowden NSA leaks for the NSA and closely tracked SSL’s woes, offers this translation: “Basically, as you and I are establishing a secure connection, an attacker injects a command that fools us to thinking we’re using a ‘private’ password whereas we’re actually using a public one.” Unlike the Heartbleed flaw, which allowed anyone to directly attack any server using OpenSSL, the attacker exploiting this newly discovered bug would have to be located somewhere between the two computers communicating. But that still leaves open the possibility that anyone from an eavesdropper on your local Starbucks’ network to the NSA to strip away your Web connection’s encryption before it’s even initialized. According to a blog post by Kikuchi <http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html>, the flaw has existed since the very first release of OpenSSL in 1998. He argues that despite the widespread dependence on the software and its recent scrutiny following the Heartbleed revelation, OpenSSL’s code still hasn’t received enough attention from security researchers. “The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation,” he writes. “They could have detected the problem.” " http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html -- PGP: 084F 95C0 BD1B B15A 129C 90DB A539 6393 6999 CBB6 www.NARIMAN.Tel
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
