Linked by Thom Holwerda on Tue 8th Apr 2014 22:06 UTC
Privacy, Security, Encryption

Heartbleed, a long-undiscovered bug in cryptographic software called OpenSSL that secures Web communications, may have left roughly two-thirds of the Web vulnerable to eavesdropping for the past two years. Heartbleed isn't your garden-variety vulnerability, so here's a quick guide to what it is, why it's so serious, and what you can do to keep your data safe.

Serious.

Permalink for comment 586827
To read all comments associated with this story, please click here.
oiaohm
Member since:
2009-05-30

http://technet.microsoft.com/en-us/security/bulletin/MS10-049

BallmerKnowsBest read your own link. It details a flaw that does not come from protocol alone. No matter how badly you implement SChannel you should not end up with means to do remote code execution. If you can execute code you can request particular pages of memory. Microsoft had buffer overflow into executable space if you left protocol back in 2010. Should not have been possible if NX extensions and memory allocation in cpu had been used correctly.

MS10-049 is in fact for means to collect data worse than the current OpenSSL flaw. Current openssl flaw you get random blocks of data not exact data requests. The SChannel flaw in windows back in 2010 also worked in reverse from client to server. Luckily there are not many MS Windows servers on the internet.

Yes on scale of SSL screwups in implementations the current OpenSSL is not the worst that has happened. Heck even the Microsoft SChannel flaw is not the worst.

Yes you are right its was a flaw in the TLS/SSL protocol but Microsoft implementation managed to handle it worse than everyone else. Insanely worse.

The problem here is every SSL implementation closed or open has been having major issues. Still there is no unified test suite to confirm that a implementation is to standard. You will have some idiots come out and say its because of lack of professional management... Reality its more lack of conformance testing. Like most web browsers should not be SSL conforming because they don't check if SSL certificates are revoked or not.

Reason why SSL works is more good luck than management.

Are we going to wake up now and demard good management. I don't think would be a good idea to attempt to hold by breath waiting.

Reply Parent Score: 1