[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Audit: don't only focus on heartbleed issue
- To: Shawn <citypw@xxxxxxxxx>
- Subject: Re: [FD] Audit: don't only focus on heartbleed issue
- From: Ron Bowes <ron@xxxxxxxxxxxxxxxxx>
- Date: Wed, 16 Apr 2014 11:03:38 -0700
Are there actually any real-world attack scenarios for BEAST, CRIME, or
Lucky-thirteen?
Heartbleed has been used in actual legitimate attacks, but those earlier
attacks all seem pretty tame in comparison. Worth fixing, of course, but
they don't seem *as* critical to me.
Ron
On Wed, Apr 16, 2014 at 3:10 AM, Shawn <citypw@xxxxxxxxx> wrote:
> After an exciting and crazy week. People are getting calm and plan or
> already start to doing audit on their system. But there are something
> you might miss. The older version of OpenSSL( like 0.9.8) might not
> affected by heartbleed issue but it doesn't mean you are secure. Don't
> forget the old OpenSSL are still vulnerable to BEAST( 2011), CRIME(
> 2012), Lucky-thirteen( 2013)[1]. I do believe Lucky-thirteen is far
> more dangerous than heartbleed, we just don't know. Once you start the
> audit, plz upgrade the OpenSSL to the latest version. If you are using
> 0.9.8, plz upgrade to 0.9.8y, which is not vulnerable to Lucky-13
> issue.
>
> Fix heartbleed issue for website is much easier than the networking
> devices( Firewall, UTM, SSL/IPSEC VPN, etc) and the 3rd-party
> software. This definitely gonna impacting for long term.
>
>
> [1] http://www.isg.rhul.ac.uk/tls/
>
> --
> GNU powered it...
> GPL protect it...
> God blessing it...
>
> regards
> Shawn
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/