[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Audit: don't only focus on heartbleed issue

To: fulldisclosure@xxxxxxxxxxxx
Subject: Re: [FD] Audit: don't only focus on heartbleed issue
From: antisnatchor <antisnatchor@xxxxxxxxx>
Date: Wed, 16 Apr 2014 20:47:59 +0200

The fact that for BEAST, CRIME and LT there is not a fully implemented
and *public* PoC, doesn't mean
that those attack were/are not critical.

They were very critical when they came out, and involved more trickery
than Heartbleed to work.

I guess you can find full PoC implementations if you search hard ;-)

Cheers
antisnatchor

Ron Bowes wrote:
> Are there actually any real-world attack scenarios for BEAST, CRIME, or
> Lucky-thirteen?
>
> Heartbleed has been used in actual legitimate attacks, but those earlier
> attacks all seem pretty tame in comparison. Worth fixing, of course, but
> they don't seem *as* critical to me.
>
> Ron
>
>
> On Wed, Apr 16, 2014 at 3:10 AM, Shawn <citypw@xxxxxxxxx> wrote:
>
>> After an exciting and crazy week. People are getting calm and plan or
>> already start to doing audit on their system. But there are something
>> you might miss. The older version of OpenSSL( like 0.9.8) might not
>> affected by heartbleed issue but it doesn't mean you are secure. Don't
>> forget the old OpenSSL are still vulnerable to BEAST( 2011), CRIME(
>> 2012), Lucky-thirteen( 2013)[1]. I do believe Lucky-thirteen is far
>> more dangerous than heartbleed, we just don't know. Once you start the
>> audit, plz upgrade the OpenSSL to the latest version. If you are using
>> 0.9.8, plz upgrade to 0.9.8y, which is not vulnerable to Lucky-13
>> issue.
>>
>> Fix heartbleed issue for website is much easier than the networking
>> devices( Firewall, UTM, SSL/IPSEC VPN, etc) and the 3rd-party
>> software. This definitely gonna impacting for long term.
>>
>>
>> [1] http://www.isg.rhul.ac.uk/tls/
>>
>> --
>> GNU powered it...
>> GPL protect it...
>> God blessing it...
>>
>> regards
>> Shawn
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> http://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] Audit: don't only focus on heartbleed issue
  - From: Shawn
- Re: [FD] Audit: don't only focus on heartbleed issue
  - From: Ron Bowes

Prev by Date: Re: [FD] Audit: don't only focus on heartbleed issue
Next by Date: Re: [FD] Audit: don't only focus on heartbleed issue
Previous by thread: Re: [FD] Audit: don't only focus on heartbleed issue
Next by thread: Re: [FD] Audit: don't only focus on heartbleed issue
Index(es):
- Date
- Thread