|
News News regarding BSD and related. |
|
Thread Tools | Display Modes |
|
|||
HTTPS-crippling attack threatens tens of thousands of Web and mail servers
From http://arstechnica.com/security/2015...-mail-servers/
Quote:
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Does that mean all HTTPS sites, or only if they negotiate a new key?
I'm thinking: I have passwords & phrases into my bank account, does this allow the capture of my data?
__________________
Linux since 1999, & also a BSD user. |
|
||||
There is good news that comes out of this latest exploit exposure. The reuse of prime numbers was the core weakness that was exploited. Bruce Schneier wrote today:
Quote:
|
|
|||
I did read the linked article, but couldn't figure out if my bank details would be at risk.
It seems that it is only those that use Diffie-Hellman key exchange, but I don't know if a bank would be using it(?).
__________________
Linux since 1999, & also a BSD user. |
|
||||
Thank you for clarifying the question.
Both your bank and your browser use HTTPS and its underlying Transport Layer Security (TLS) protocol to encrypt traffic. TLS allows the two parties (webserver, browser) to pick and choose from each other's suite of permitted cipher systems, looking for a best match. This particular security problem is that a packet can be injected which forces a renegotiation of cipher systems, and forcing this very weak encryption technology which some websites -- but for our purposes more importantly most browsers -- still permit. The weakness is two factor: a short key, and reuse of prime numbers.Your bank may or may not be affected, but your browser almost certainly is. As noted in the press, major browser makers are developing patches and expect to release security updates over the next few days. (Among the major browsers, only IE did not permit 512-bit DFE at the time this issue became public knowledge.) You could ask your bank if they are impacted, but only if you can find the right technicians to ask. Otherwise, using a supported version of IE should be safe, because if your session is attacked IE should refuse the DFE 512 renegotiation. Your personal account information is only used at the application layer, and is not part of the cipher key exchange. However, if there is a successful attack and plaintext is leaked or inserted, your transactions and your information may be compromised. Last edited by jggimi; 21st May 2015 at 03:54 PM. Reason: will -> should. |
|
|||
Thank you for the detailed explanation.
( I'll check for browser updates.)
__________________
Linux since 1999, & also a BSD user. |
|
|||
Until
browsers update, some firefox users are suggesting setting the following settings to false in about:config: security.ssl3.dhe_rsa_aes_128_sha security.ssl3.dhe_rsa_aes_256_sha I can't say that I know the implications of that change. Presumably it would force the connection to your bank to fail if it can't use one of the cipher suites not using export grade diffie hellman for key exchange, e.g. the ones using elliptic curve Diffie-Hellman. |
|
|||
Thanks for that info on about:config.
__________________
Linux since 1999, & also a BSD user. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Attack code exploiting critical bugs in net time sync(NTP) puts servers at risk | J65nko | News | 15 | 31st December 2014 06:59 PM |
Security Gone in 30 seconds: New attack plucks secrets from HTTPS-protected pages | J65nko | News | 1 | 1st August 2013 05:30 PM |
Security Unlucky for you: UK crypto-duo 'crack' HTTPS in Lucky 13 attack | J65nko | News | 0 | 4th February 2013 10:51 PM |
Security New attack against TLS/SSL obtains session cookies from HTTPS | jggimi | News | 1 | 17th September 2012 05:00 PM |
Virtual domains on multiple mail servers running Exim4 as MTA | satimis | General software and network | 10 | 27th November 2008 02:42 PM |