Phaedrus 209521 Report post Posted April 9, 2014 For those of you who care about this sort of thing... Fairly good summary here, with links to further reading. You probably don't need to do anything about this unless you run your own web servers (and that means looking after the servers, not just having a website). Unfortunately, we have no idea who already knew about this, or how they'd exploited it, or what they'd done with the information thus gained... Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data. The warning about the bug in OpenSSL coincided with the release of version 1.0.1g of the open-source program, which is the default cryptographic library used in the Apache and nginx Web server applications, as well as a wide variety of operating systems and e-mail and instant-messaging clients. The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there's no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises. 2 Quote Share this post Link to post Share on other sites
backrubman 64800 Report post Posted April 9, 2014 ...Unfortunately, we have no idea who already knew about this, or how they'd exploited it, or what they'd done with the information thus gained... Actually we do :) A group of cryptographers announced over a year ago that they had "owned" at least 20% of all the private keys from major sites and many others by using various techniques and speculated that if they had the resources of the NSA they could easily achieve close to 100%. They even set up a web site where you could go and upload your public key to see if they had the corresponding private key in their "collection" :) Do you really think the NSA invests all those resources, time, energy and money so they can monitor encrypted gobbledygook? Even though SSL won't stop the NSA from listening in if they want to, it is pathetic that CERB can't invest $30/year (I just bought one for $30) for a "trusted" SSL cert and do and automatic http -> https redirect to protect the naive CERB ladies using hotel Wifi from casual eavesdroppers. And if the MOD should read this and be insulted he need only drop me a note and I'll send along the $30 his way if he'll agree to do this (even though they once posted an annual budget in the hundred thousand dollar range). 2 Quote Share this post Link to post Share on other sites
cinelli 22184 Report post Posted April 18, 2014 protect the naive CERB ladies using hotel Wifi from casual eavesdroppers. Amazing how easy it is to eavesdrop on people in hotels. Quote Share this post Link to post Share on other sites
backrubman 64800 Report post Posted April 19, 2014 Amazing how easy it is to eavesdrop on people in hotels. That's actually how I discovered CERB and got to meet many wonderful CERB ladies (which changed my life forever) :) A Security Consultant friend of mine was hired by a major hotel chain to make recommendations on how they could better protect their guests (from becoming infected with viruses and other "threats" one exposes them self to connecting to a hotel WiFi network, like exposing their passwords, etc.). Because of my background in Internet and network security (no longer my line of work) I was hired by my consultant friend to consult with him and we undertook a study which involved monitoring what was flying though the air. It's important to point out that we were asked to do this by the network owners but I don't think you are breaking any laws by watching other traffic on a WiFi network you have the right to access (e.g. as a guest of the hotel). We were able to intercept over 300 usable logins and passwords in a single evening (mostly POP3 email accounts) but a CERB login was one of them (I had not heard of CERB before that). Ultimately the study did result in some improvements (we engineered the network so that although guest computers could access the Internet they no longer could communicate with other guest computers directly) but the WiFi network remains wide open for anyone to listen to, to this day and this is the case at all hotels with WiFi and what hotel doesn't offer this today? They all do. If CERB had a trusted SSL certificate we would still have known someone was accessing it but we wouldn't know who or have seen the login or MD5 password hash (which is trivial to convert back to plain text). Quote Share this post Link to post Share on other sites
cinelli 22184 Report post Posted April 19, 2014 I saw one wifi network that showed username and password in plain text. That blew my mind. Quote Share this post Link to post Share on other sites