Why it is called the Heartbleed Bug?

Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.
This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL libssl library in chunks of up to 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to increase the chances that a leaked chunk contains the intended secrets.

What makes the Heartbleed Bug unique?
Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.

Is this a design flaw in SSL/TLS protocol specification?
No. This is implementation problem, i.e. programming mistake in popular OpenSSL library that provides cryptographic services such as SSL/TLS to the applications and services.

What is being leaked?
Encryption is used to protect secrets that may harm your privacy or security if they leak. In order to coordinate recovery from this bug we have classified the compromised secrets to four categories: 1) primary key material, 2) secondary key material and 3) protected content and 4) collateral.

More information: http://heartbleed.com/
No comments:

“Boot to Gecko” the new Mobile OS

 

"Boot to Gecko" is a Mobile OS being developed by Mozilla.

 

Its main concept is everything on it runs on web. No native apps. Anyone can build and host their App on their own server(no appstore).


Anyone can build their app in simple HTML5 and CSS(no special SDK needed like Apple or Android or WM7)… and using their WebAPI can interface with the Dialer, SMS, Camera, Bluetooth, etc.


Read more at: http://www.mozilla.org/en-US/b2g/

 

 

No comments:

Shell Script to retrieve Certificate

Here is a helpful script I received from a friend-collegue to retrieve a SSL certificate and store it in a file in Linux.



#!/bin/sh

#
# usage: retrieve-cert.sh remote.host.name [port]
#

REMHOST=$1

REMPORT=${2:-443}

echo |\
/usr/local/ssl/bin/openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\

sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

# Use the below command to show certficates, dont use this with sed or you will only get the same output as the command above

#/usr/local/ssl/bin/openssl s_client -showcerts -connect ${REMHOST}:${REMPORT} 2>&1 |\
No comments:

Mehotd to read Jar versions

I have a test JSP that is used for testing the installation of the applicaiton. 
I that I needed to find the versions of the Jar files that are loaded by the server. I wrote a small method in a JSP to read the Versions from the JAR files. 


String readManifest(String jar) {
try {
JarFile jarfile = new JarFile(jar);
Manifest manifest = jarfile.getManifest();
java.util.Map map = manifest.getEntries();
java.util.Iterator iter = map.keySet().iterator();
String ver = "unknown";
while(iter.hasNext()){
String key = (String)iter.next();
String str = null;
java.util.jar.Attributes attr = (Attributes)map.get(key);
str = attr.getValue(Attributes.Name.IMPLEMENTATION_VERSION);
if(str == null) {
str = attr.getValue(Attributes.Name.SPECIFICATION_VERSION);
}
if(str != null) { ver = str; }
else {
ver = "unknown";
}
}
return ver;
} catch (Exception ex) {
return "Error:"+ex.getMessage();
}
}


No comments:
Subscribe to: Posts (Atom)