[GPSCC-chat] Heartbleed is real. Do something real.
Cameron L. Spitzer
cls at truffula.us
Wed Apr 9 16:50:58 PDT 2014
Nobody credible is suggesting the NSA or anybody else has a backdoor in
Secure Shell Version 2 (SSH) or the ciphers it uses. If it were even
suspected, there would be a mad race to come up with a replacement.
SSH was developed in Finland because it's the only developed nation not
subject to the US' "munitions related" export controls. That's why the
big security software developers all have offices there. They learned
that lesson from NSA's heavy-handed interference with the original
Digital Encryption Standard and Pretty Good Privacy. If you've been
researching the history of digital security, you already know about
those outrages.
To understand these problems, you have to distinguish /algorithm/ from
/implementation/. There is no "/method/." The strength of SSH and its
ciphers, and of PGP/GPG, and anything else that uses asymmetric
encryption, including SSL, comes from the mathematical reality that it's
astronomically more difficult to factor the product of two very large
prime numbers than it was to multiply those two primes in the first
place. The NSA is about as "likely" to find a way around that as they
are to find a way to travel faster than light. That's algorithm.
Vulnerabilities like Heartbleed come from mistakes in implementation,
not from weaknesses in the mathematical algorithms themselves. The last
one we all had to patch (it was in SSH) was due to a mistake where a
pseudorandom number was more predictable than it should have been.
Heartbleed <http://heartbleed.com/> gives a black eye to the "open
source fanboys" who've been claiming for years that nothing this serious
would ever get past the "crowd" of reviewers. "Vulns" this bad get
stopped in code-review all the time, and one got through. But it hardly
means "the NSA has a back door in everything." ("The NSA has a back
door in everything" is a way to rationalize your own choices of
convenience over security. Everybody does it.)
Nor does it mean the closed source implementations are better. Microsoft
has its own SSL implementation. It's surely been code-reviewed by NSA,
and it may even have NSA's backdoor in it. Perhaps that's in the pile
Snowden handed off to Greenwald, and /Der Spiegel/ hasn't got around to
revealing it.
By the way, the media are reporting "two thirds of the Web" vulnerable.
According to Netcraft
<http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html>,
it's 17% of hostnames. Maybe the "two thirds" is because that 17% is
most of the big names.
-/Cameron/
On 04/09/2014 03:19 PM, John Thielking wrote:
> I don't use online banking much, though I do pay bills with a debit
> card. I may be able to use a real credit card soon instead, though I
> have yet to actually receive the card that I was notified that was
> sent to me in the mail. Like I said in another thread, the US govt
> likely has a backdoor into every encryption /method/ [emphasis added]
> out there, including RSA's stuff (there was a specific news item on
> that one) and anyone running HTTPS. My best bet in regards to this is
> that my Direct Express online access/password only allows me to look
> at my account balance and transaction history. As far as I know, I
> can't look up my account number or transfer money by logging in. Good
> luck.
>
> Sincerely,
>
> John Thielking
>
>
> On Wed, Apr 9, 2014 at 2:47 PM, Cameron L. Spitzer <cls at truffula.us
> <mailto:cls at truffula.us>> wrote:
>
>
> Most of the "secure" web sites you use have been *broken for the
> last two years*. Bruce Schneier says the OpenSSL "Heartbleed" bug
> disclosed yesterday, on a scale of 1 to 10, is an 11,
> "catastrophic
> <https://www.schneier.com/blog/archives/2014/04/heartbleed.html>." I
> recommend James Fallows' coverage
> <http://news.google.com/news/url?sr=1&sa=t&ct2=us%2F4_0_g_1_0_a&gid=EPG&bvm=section&usg=AFQjCNEu3o2CQaPZQdOvNQcoeO4LudiYbA&did=3147203463190269418&sig2=WnjE8vYpCP_1I61JMFmwhw&ei=dbdFU7mIBZG0mQKAQg&rt=HOMEPAGE&vm=STANDARD&authuser=0&url=http%3A%2F%2Fwww.theatlantic.com%2Ftechnology%2Farchive%2F2014%2F04%2Fthe-5-things-to-do-about-the-new-heartbleed-bug/360395/>
> at the Atlantic. Arstechnica
> <http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/>
> is even better, they demonstrate the exploit against yahoo.com
> <http://yahoo.com>.
>
> If you bank online, you need to check your bank's site with
> something like this <http://filippo.io/Heartbleed/>, and change
> your password. Change it now, then check the site. If the check
> fails, check it again later, and change your password /again/ when
> it passes.
> The first change neutralizes your password which *was probably
> stolen* during the last two years. The second neutralizes the new
> one that was stolen yesterday before your bank fixed its server.
> Now that the bug is public, you can safely assume *all* unpatched
> sites are compromised.
> If you run an HTTPS web server, you need to update it, and then
> you need to get a new cert. That's what your bank needs to do.
> If someone else runs an HTTPS web server for you, check it. If
> it's broken and they don't fix it soon, change providers.
>
> Forward as you see fit.
>
> -/Cameron/
>
>
>
> _______________________________________________
> sosfbay-discuss mailing list
> sosfbay-discuss at cagreens.org <mailto:sosfbay-discuss at cagreens.org>
> http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
>
>
>
>
> _______________________________________________
> sosfbay-discuss mailing list
> sosfbay-discuss at cagreens.org
> http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cagreens.org/pipermail/sosfbay-discuss_lists.cagreens.org/attachments/20140409/aefad3cb/attachment.html>
More information about the sosfbay-discuss
mailing list