Open SSL Alert - June 11 Update HUGE vulnerability

Started by deanwebb, July 09, 2015, 10:10:45 AM

Previous topic - Next topic

deanwebb

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

NetworkGroover

Thanks for the heads up - we started getting queries on this and found out we're not vulnerable.
Engineer by day, DJ by night, family first always

wintermute000


icecream-guy

#3
I think they updated the March OpenSSL vulnerability just for you Dean...
Cisco Identity Services Engine (ISE)    CSCut46056    1.3.x (4-July-2015)
Hopefully you are running 2.0



BTW alot of the software fixes for the June OpenSSL are due late summer into fall.
:professorcat:

My Moral Fibers have been cut.

deanwebb

We're running CounterACT for NAC, but there's a lot of NAC stuff that's equal headaches, no matter what the platform is, because of all the crazy crap that plugs into it.

I want to punch the guy that made it so we can't run full packet captures from an iPhone. Isn't it a crime to not allow a device on the network to run packet captures? Don't they have Rights of Things?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.


deanwebb

Can we all just agree that, at this point, OpenSSL is now broker than hell?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Reggle

Quote from: deanwebb on July 13, 2015, 08:25:22 AM
Can we all just agree that, at this point, OpenSSL is now broker than hell?
Agreed. But on the other hand, with the attention the software is getting now, I think it's likely to become the most secure encryption software of 2016.

deanwebb

Quote from: Reggle on July 14, 2015, 05:22:56 AM
Quote from: deanwebb on July 13, 2015, 08:25:22 AM
Can we all just agree that, at this point, OpenSSL is now broker than hell?
Agreed. But on the other hand, with the attention the software is getting now, I think it's likely to become the most secure encryption software of 2016.
Well, that's what we hoped for 2015 with all the OpenSSL bugs from 2014...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

Quote from: deanwebb on July 14, 2015, 11:22:44 AM
Quote from: Reggle on July 14, 2015, 05:22:56 AM
Quote from: deanwebb on July 13, 2015, 08:25:22 AM
Can we all just agree that, at this point, OpenSSL is now broker than hell?
Agreed. But on the other hand, with the attention the software is getting now, I think it's likely to become the most secure encryption software of 2016.
Well, that's what we hoped for 2015 with all the OpenSSL bugs from 2014...

The problem is what are you going to replace it with? Another fork of OpenSSL that will then never be audited, or updated? There are some serious concerns on the opensource model for a critical function like this, but I don't have a solution that is better. It will take people smarter than me to solve that problem.

-Otanx

AnthonyC

Quote from: Otanx on July 14, 2015, 02:09:24 PM
Quote from: deanwebb on July 14, 2015, 11:22:44 AM
Quote from: Reggle on July 14, 2015, 05:22:56 AM
Quote from: deanwebb on July 13, 2015, 08:25:22 AM
Can we all just agree that, at this point, OpenSSL is now broker than hell?
Agreed. But on the other hand, with the attention the software is getting now, I think it's likely to become the most secure encryption software of 2016.
Well, that's what we hoped for 2015 with all the OpenSSL bugs from 2014...

The problem is what are you going to replace it with? Another fork of OpenSSL that will then never be audited, or updated? There are some serious concerns on the opensource model for a critical function like this, but I don't have a solution that is better. It will take people smarter than me to solve that problem.

-Otanx

LibreSSL should be a viable alternative; the developers are from the FreeBSD project and their vulnerability track records look better than OpenSSL.  It is actually the default SSL implementation for FreeBSD since last year.
"It can also be argued that DNA is nothing more than a program designed to preserve itself. Life has become more complex in the overwhelming sea of information. And life, when organized into species, relies upon genes to be its memory system."

wintermute000

#11
Apparently the development community on this project is stuffed. I read a long thread  on it


http://arstechnica.com/civis/viewtopic.php?f=2&t=1240611&start=40




Sent from my SM-G920I using Tapatalk