Re: [openssl-users] Vulnerability Disclosures
On 12 July 2015 at 03:31, Salz, Rich rs...@akamai.com wrote: I'd be concerned about doing that. While this one seemed pretty rare -- only folks running a release less than 30 days old in production -- as a general rule, it's impossible to tell. For example, we THINK that PSK isn't used much, but we have no idea -- it's real popular in the Internet of Things, for example. It seems safer to say nothing, then to say something misleading or wrong. We'd like to give as much information as possible, but not enough to expose the vulnerability exploit and not anything that could be misleading. It's a very hard point to triangulate. I don't really see this being feasible. For example many of our clients get confused when we report openssl vulnerabilities against some SSL accelerator or proxy device simply because they're unaware that the code in the device is based on openssl. Cheers Rich. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Vulnerability Disclosures
I wanted to suggest that when notifying of new vulnerabilities, in addition to the severity level, information is also provided about how widespread the issue is expected to be. For example, the statement might say this high severity bug is expected to affect around 70% of cases”, or for CVE-2015-1788 it would presumably state “around 1%” as it affects only client-side uses. This would help OpenSSL users gauge whether the upcoming vulnerability is “heartbleed”-level, or less serious/widespread. Currently a wide variety of vulnerabilities are just indicated as “high” severity, which could mean anything from a relatively minor DoS affecting 5 implementations to MITM affecting all servers/browsers. Wide-spread-ness is an interesting factoid, but I kind of feel like its not really relevant. OpenSSL is kind of ubiquitous, so adverse events are kind of widespread by definition. I've worked in Risk as a Security Architect. An organization has a risk posture, and they will choose to remediate a vulnerability that applies to them; or they will choose to do nothing and accept the risk. An organization will also assess their partners, and ensure compatible security postures as a matter of governance. If their partner is deficient, then they will have to address that risk too or do nothing and accept the risk. The monoculture based on OpenSSL's success is a hindrance, too. Its kind of like a genome that's lost its genetic diversification. A interesting talk about it is Dan Geer's Heartbleed as Metaphor, http://www.lawfareblog.com/heartbleed-metaphor. Jeff ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Vulnerability Disclosures
I wanted to suggest that when notifying of new vulnerabilities, in addition to the severity level, information is also provided about how widespread the issue is expected to be. I'd be concerned about doing that. While this one seemed pretty rare -- only folks running a release less than 30 days old in production -- as a general rule, it's impossible to tell. For example, we THINK that PSK isn't used much, but we have no idea -- it's real popular in the Internet of Things, for example. It seems safer to say nothing, then to say something misleading or wrong. We'd like to give as much information as possible, but not enough to expose the vulnerability exploit and not anything that could be misleading. It's a very hard point to triangulate. /r$ ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Vulnerability Disclosures
Hi, I apologize if this is the wrong place for this email - it seemed to be the most suitable of the mailing lists. I wanted to suggest that when notifying of new vulnerabilities, in addition to the severity level, information is also provided about how widespread the issue is expected to be. For example, the statement might say this high severity bug is expected to affect around 70% of cases”, or for CVE-2015-1788 it would presumably state “around 1%” as it affects only client-side uses. This would help OpenSSL users gauge whether the upcoming vulnerability is “heartbleed”-level, or less serious/widespread. Currently a wide variety of vulnerabilities are just indicated as “high” severity, which could mean anything from a relatively minor DoS affecting 5 implementations to MITM affecting all servers/browsers. Thanks, James ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users