Menu
blog.headdesk.me
blog.headdesk.me

So is SSL no longer secure?

Posted on 2014/04/092014/04/10

Had a busy day today because of the recently publicised OpenSSL vulnerability (CVE-2014-0160). Existing private keys are no longer secure. I suppose closed systems still got its value.

Is GnuTLS better? Seems not. It’s not recommended and was even considered harmful.

Meanwhile it may be a good idea to review how SSL works. There is an excellent article on Digicert that describes this

So in order for heartbleed to successfully steal data, an attacker will need to

  • Steal the site’s private key
  • Steal the symmetric session key, decrypt it with the site private key
  • Tap into traffic streams between target server and target user
  • Decrypt captured traffic using the stolen session key

Extending this further, with a site’s private key, attacker can create a new certificate, set up a phishing site, steal the site’s DNS record using other techniques unrelated to heartbleed, and then impersonate the target systems.

If the attacker manages to compromise the CA’s certificate infrastructure, they can start making self-generated certificates and sign them using the stolen CA key.

This really makes SSL no longer a secure protocol. On the bright side, it’s not trivial to steal your data utilizing the heartbleed vulnerability.

References:

http://www.zdnet.com/gnutls-big-internal-bugs-few-real-world-problems-7000027041/

facebookShare on Facebook
TwitterTweet

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Full text search

Recent Posts

  • Dumping AWS Organization tree
  • Free is the most expensive
  • Terraform conditional resource and blocks
  • Upgrade Ubuntu 16.04 to latest release
  • Inspect and control network traffic on AWS
  • aws (8)
  • coffee (1)
  • headfi (1)
  • linux (7)
  • others (55)
  • security (2)
  • tech (36)
  • wordpress (2)

apache aws awscli azure backup cloud coffee coreos distributed filesystem docker ec2 EL8 elasticcache etckeeper featured heartbleed kernel linux mail meltdown mysql php pine python rdp rds Redhat Red Hat RHEL RHEL7 rpm Ryzen snapshot spectre SSL systemd tech terraform ubuntu ubuntu upgrade vector vpn wordpress xtreemfs yum

©2022 blog.headdesk.me | Powered by SuperbThemes & WordPress