Found vulnerability in OpenSSL 1.0.1 through 1.0.1f - Security

CHAT PRIVACY DONATE

FAQ WIKI HEALTH & SAFETY ARTATTITUDE

ACTIVE TOPICS

Welcome to the DMT-Nexus » THE DMT-NEXUS SITE » Safety » Security » Found vulnerability in OpenSSL 1.0.1 through 1.0.1f

Found vulnerability in OpenSSL 1.0.1 through 1.0.1f

Options

Vodsel

#1
Posted : 4/8/2014 2:42:05 PM

DMT-Nexus member

Posts: 1711

Joined: 03-Oct-2011

Last visit: 20-Apr-2021

To whom it may concern (most likely Trav is aware of this already):

A serious vulnerability in the OpenSSL library was found and reported yesterday, April 7th - The Heartbleed Bug.

Quote:

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

Fix requires update to OpenSSL 1.0.1g - Statement by OpenSSL project

-- Basics for Indoor Gardening Thread --

-- Jurema: Spreading the Medicine --

"The Menu is Not The Meal." - Alan Watts

www.rueshop.com
Good quality Syrian rue (Peganum harmala) for an incredible price!

www.rueshop.com

The Traveler

#2
Posted : 4/8/2014 5:55:59 PM

"No, seriously"

Posts: 7324

Joined: 18-Jan-2007

Last visit: 14-Apr-2024

Location: Orion Spur

Vodsel wrote:

To whom it may concern (most likely Trav is aware of this already):

Luckily we do not do anything with the OpenSSL library.

Kind regards,

The Traveler

FAQ-Wiki-Attitude
Nexus Collaborative Research Project: Join us in our quest for entheogenic knowledge!

"Don't be a robot, use your brain" - Uncle known

cyb

#3
Posted : 4/12/2014 9:10:06 AM

DMT-Nexus member

Posts: 3574

Joined: 18-Apr-2012

Last visit: 05-Feb-2024

Report: NSA knew about Heartbleed bug and took advantage of it, but the NSA denies the charge.

Quote:

The National Security Agency has known about the Heartbleed bug, which has compromised two-third of the world’s websites, for over two years, and has been actively trying to exploit it, according to reports. However, not long after the report surfaced, the NSA denied knowing about the bug before the public did, and called the reports “wrong.”

Source

The Nexian * Cybs Hybrid ATB 'Salt' Tek * MAX ION tek * Machine

Please do not PM tek related questions

Reserve the right to change your mind at any given moment.

Ufostrahlen

#4
Posted : 4/12/2014 9:41:18 AM

xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ

Posts: 1716

Joined: 23-Apr-2012

Last visit: 23-Jan-2017

That is why you want Forward Secrecy in your cipher suite. If the key for one session is corrupted, past sessions can't be reconstructed, since with Forward Secrecy the keys are negotiated every single session.

The Nexus uses Forward Secrecy and the Schannel library, not the OpenSSL library. Which may be beneficial, maybe not. OpenSSL is open, Schannel is closed.

The question is: has Schannel a back-door, too? Or are the random number generators in Windows compromised, so reconstruction is easy with huge data centers? Nobody can tell, as the source code isn't open.

Which leads to the ultimate question: has the NSA forced Microsoft to corrupt their random number generators or their cipher library? And sign a non-disclose agreement because of "national security" by "court" order?

The NSA _did_ corrupt RSA, which core business is data security:
http://www.reuters.com/a...sa-idUSBREA2U0TY20140331

TL;DR: be careful with your online activity, current events prove that computer security is under attack daily.

Internet Security: PsilocybeChild's Internet Security Walk-Through ✨ (1) ✨ (2) ✨ (3) ✨ (4) ✨ (5) ✨ (6) ✨ (7) ✨ (8)
✨ Search the Nexus with disconnect.me (anonymous Google search) by adding "site:dmt-nexus.me" (w/o the ") to your search. ✨

bindu

#5
Posted : 4/16/2014 1:22:22 AM