Originally posted by log0
View Post
Announcement
Collapse
No announcement yet.
A New Round Of OpenSSL Vulnerabilities Discovered
Collapse
X
-
Originally posted by gamerk2 View PostSo, can we put to bad the argument of "OSS is by nature more secure" argument now?
1) Just because someone slapped a "secure" label on something doesn't mean it's secure - whether it's open-source or proprietary.
2) If security was a boolean it would always evaluate to false. "More secure" doesn't mean "100% secure". And nothing is 100% secure. The question is the price of a successful attack in terms of money (computing resources), time and effort. If it's too costly it'll almost never happen. And almost never is considered good enough.
3) Heartbleed is overrated. It's just a bug, one out of many, that got blown way out of proportion by journalists. No security expert has ever seriously believed SSL to be impenetrable. But when the alternative is using plain text for credentials and unencrypted streams for data, it's a no-brainer that SSL is better than nothing.Last edited by prodigy_; 05 June 2014, 02:24 PM.
Comment
-
Looks like real time chat is biggest exploitable use of this against end users
I looked at these, it looks like most of these are denial of service attacks, but one permits forcing the use of weak keys in https traffic and another permits arbitrary code execution against a machine engaged in real time chats (DTLS seems to be used mostly for this sort of thing according to what I could quickly dig up).
If you don't do realtime chat and rely on GPG when you need strong encrption, this won't likely hurt you. I only trust https to keep my ISP and various wifi hotspots from logging copies of my work, I do NOT trust it against the NSA or even the FBI as it has too high a target profile.
Never bank online with any computer, never shop online except with prepaid credit cards whose entire balance is expendable. Don't bet your savings on being a better hacker than every last person out there who puts food on their table by black hatting!
Comment
-
Private disclosure
Some days ago the bugs had been privately communicate to a list of linux distributions.
This is the timeline:
Comment
-
Originally posted by erendorn View PostA closed source project with as many developer as OpenSSL (ie, very small project), would never have ended up in as much machines as OpenSSL did, even if it was free. Mostly because it would be neither auditable nor accountable, in other word, in a sense, too insecure.
As such, it's quite difficult to reach a comparative conclusions when comparable non-OSS projects don't exist.
Bullshit alaaaaaarm.
You being paid by Microsoft or by Apple?
Open source = auditible & accountable. You can always trace the path one has made an error, and nobody will deny it or play the blame game as happens most of the time in most multibillion corps.
- Oh, is that a security hole? I'm so sorry, must have been something the intern introduced. Wasn't my fault mr. chief executive.
- Is that so? Well, ok then. We'll sell it as a feature, not a bug.
Once again, bullshite.
Comment
-
Originally posted by arabek View PostOpen source = auditible & accountable. You can always trace the path one has made an error, and nobody will deny it or play the blame game as happens most of the time in most multibillion corps.
Comment
-
-
Originally posted by tuubi View PostTry reading that quote again before getting your panties in a twist. That's pretty much what erendorn said about accountability.Originally posted by arabek View PostRight, i must have been really tired or drunk to not notice that. Or both. Sorry!
np
Comment
Comment