Another SSL Bug

Heart_Bleed_Patch_3_by_Merlin2525Rick Moen
<r***> Fri, Jun 6, 2014 at 2:38 AM
To: svlug@*****

Remember back in April, when a large portion of the Internet was suddenly exposed to a grave bug (‘Heartbleed’) in the OpenSSL crypto libraries? Back then, it turned out upon examination that most systems using OpenSSL ducked the bullet because only the very most recent OpenSSL releases (1.0.1 through 1.0.1f) included the buggy and mostly pointless feature.

Well, it’s a new day, and an… old bug has been discovered. That is,
a very grave coding error (CVE-2014-0224) has been discovered that’s
been present in -every- release of OpenSSL since the very beginning –
all 16 years of releases.

Thursday, a coder named Masashi Kikuchi was working on a project to
write his own SSL/TLS code, and one of the uncertain parts was a
protocol spec called ChangeCipherSpec (CCS), whereby an SSL or TLS client and server can, at specified times and carefully controlled ways, negotiate change from one cipher suite to another.

So, Masashi studied the way OpenSSL implemented CCS – and quickly
noticed that OpenSSL does it wrong. OpenSSL doesn’t merely accept CCS
requests at the specified times and carefully controlled ways, but also
at pretty much any time and any manner – with the consquence that
attackers can exploit this nonstandard behaviour so that they can
decrypt and/or modify data in the communication channel.

Which OpenSSL versions, you ask? As I mentioned above, all of them.
Every single release of OpenSSL over the past 16 years has had
exploitably buggy CCS.

Reemmber how many sites were quietly relieved that the Heartbleed bug didn’t affect SSH, only SSL-wrapped HTTP? No such luck, this time. I see offhand no reason why this bug cannot also be used to attack
OpenSSH. (I could be wrong.)

Both server-side and client-side uses of OpenSSL are threatened by this bug.

The major distros have rushed out new packages already. You know what
to do!

svlug mailing list


What is five nines?

The Telecos and RBOCS believe they have to great features – High Availfive-nines_on_worldability and High Line Quality. The old commercial from US Sprint “You could hear a pin drop” was reminiscent for what this is about.

In any case, “five nines” meant you had “high availability” for a service. It is still widely used in the industry, but often ignored.

On this topic, the direct translation means

  • 99.999% uptime is just over 5 minutes per year of down time.
  • 99% uptime means 3 days per year – down.
  • 98% uptime means 7 days per year or about 30 minutes a day – down.


Heartbleed Bug – Status, What, & Who

Where Do Web Sites Stand, Post-Heartbleed

How Heartbleed Bug Works

How Heartbleed Bug Works

2014 April, 21

  • A scan of the top 1 million Web sites found that none of the top 1,000 sites were vulnerable to the Heartbleed OpenSSL bug, and only 0.53 percent of the top 10,000, 1.5 percent of the top 100,0000 and 2 percent of the top 1 million were vulnerable, according to the security firm Sucuri Security.


Items Below

  • Rick Moen’s FAQ
  • How the Heartbleed bug scurried into the hearts and minds of millions – April 17
  • There Will Be More Blood – April 14
  • THE FIX by ‘Neel Mehta of Google Security” – April 9
  • MAJOR SECURITY ISSUE WITH SSL: Does the Heartbleed Bug Mean You Should Stay Off the Internet? – April 9


Rick Moen’s FAQHeart_Bleed_Patch_3_by_Merlin2525

There are several other very worthwhile places posting commentary.
If no other, read Bruce Schneier’s blog.

Otherwise, you can read the FAQ in the mailing list archive below.

Here’s how the Heartbleed bug scurried into the hearts and minds of millions
2014 April, 17!MZWyJ
There Will Be More Blood
2014 Apr, 14
THE FIX by ‘Neel Mehta of Google Security
2014 April, 9;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3;hp=0d7717fc9c83dafab8153cbd5e2180e6e04cc802
MAJOR SECURITY ISSUE WITH SSL: Does the Heartbleed Bug Mean You Should Stay Off the Internet? | Mother Jones
2014 April, 9



For strings plus (+) is faster than the function concat()

According to Mozilla, using a ‘+‘ or ‘+=‘ to concatenate strings is faster than concat(). You probably want some proof.

Here are the two versions:

‘Coucou ‘.concat(‘c\’est ‘, ‘nous !’);

‘Coucou ‘ + ‘c\’est ‘ + ‘nous !’;

Ignoring the ‘.join()‘ in this version, it is quite apparent that the ‘+wins hands down.

Even when doing nasty concatenation, it wins.

With very short strings, ‘concat()gets closer, but plus (+) still wins.

It turns out that ‘+=‘ and ‘= +‘ are nearly identical.

In every variation, ‘plus (+)wins.

Plus (+) wins