and the others need a MITM attack which is not *that* easy as connect to a server and send a heartbleed-packet without anything in the logs of the attacked server frankly outside a public hotspot / untrusted network nobody but the NSA and otehr agencies are able to really to MITM Am 16.04.2014 20:03, schrieb Ron Bowes: > Are there actually any real-world attack scenarios for BEAST, CRIME, or > Lucky-thirteen? > > Heartbleed has been used in actual legitimate attacks, but those earlier > attacks all seem pretty tame in comparison. Worth fixing, of course, but > they don't seem *as* critical to me. > > On Wed, Apr 16, 2014 at 3:10 AM, Shawn <citypw@xxxxxxxxx> wrote: > >> After an exciting and crazy week. People are getting calm and plan or >> already start to doing audit on their system. But there are something >> you might miss. The older version of OpenSSL( like 0.9.8) might not >> affected by heartbleed issue but it doesn't mean you are secure. Don't >> forget the old OpenSSL are still vulnerable to BEAST( 2011), CRIME( >> 2012), Lucky-thirteen( 2013)[1]. I do believe Lucky-thirteen is far >> more dangerous than heartbleed, we just don't know. Once you start the >> audit, plz upgrade the OpenSSL to the latest version. If you are using >> 0.9.8, plz upgrade to 0.9.8y, which is not vulnerable to Lucky-13 >> issue. >> >> Fix heartbleed issue for website is much easier than the networking >> devices( Firewall, UTM, SSL/IPSEC VPN, etc) and the 3rd-party >> software. This definitely gonna impacting for long term. >> >> >> [1] http://www.isg.rhul.ac.uk/tls/
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/