Jump to content

Ladies and gentlemen... Start your scanners


Recommended Posts

There a bug in OpenSSL 1.0.1 up to f (g is safe) and 1.0.2 up to beta1 (beta2 is safe).

It's listed at the top.

Here's a python script that can test a site for the vulnerability.

There's an online version here BUT that one logs the name and status of a tested site, as can be seen here so you might not want to use that...

Link to comment
Share on other sites

One very big thing to note about this vulnerability:

For the 2-year period that this bug existed anybody who knew about the issue was capable of reading a vulnerable site's memory, including the location that housed your private key. That means if you acquired a certificate (self-generated or bought) and used it on a vulnerable server, you need to do the following:

1. Update your software to prevent further exploitation.

2. Revoke your certificate.

3. Generate a new private key.

4. Get a trusted third party to reissue you a signed cert.

That last one will cost you money but you originally paid good money to get a certificate so you could use an encrypted communication channel which would seem to indicate it's worth something to you to have this communication channel secure. The cornerstone of that encryption has been compromised and until you replace it you cannot trust the communication channel to be secure.

It wouldn't be a bad idea to change any and all server-local passwords either.

Link to comment
Share on other sites

"Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication." Source

Link to comment
Share on other sites

Note that this means your forum password should be considered suspect (i.e. public) now aswell. On all affected https websites which, I fear, includes this one.

Link to comment
Share on other sites

There is also questions on the legality of the scanners. As scanning a site without the owners permissions is technically illegal. However as it's for good intentions, the law isn't being enforced.

Uh, no. Unless you have permission, written permission it best, it's illegal. PERIOD!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...