|
Title: New OpenSSL vulnerability Post by: Tzupy on June 05, 2014, 05:09:38 PM Article at Arstechnica: http://arstechnica.com/security/2014/06/still-reeling-from-heartbleed-openssl-suffers-from-crypto-bypass-flaw/
Would this concern bitcoin? I don't know, someone more knowledgeable please comment. Title: Re: New OpenSSL vulnerability Post by: Peter882 on June 07, 2014, 09:58:14 AM Article at Arstechnica: http://arstechnica.com/security/2014/06/still-reeling-from-heartbleed-openssl-suffers-from-crypto-bypass-flaw/ Would this concern bitcoin? I don't know, someone more knowledgeable please comment. I would like to know that, is it safe to continue using version 0.9.1 with OpenSSL 1.0.1g? Title: Re: New OpenSSL vulnerability Post by: piotr_n on June 07, 2014, 10:32:07 AM AFAIK, the SSL part of OpenSSL is only used there for the new payment protocol and RPC-SSL (the one you switch on with -rpcssl command line switch).
If you don't use any of the two features, you should not be affected by the vulnerability. At least the recently reported one - the one that you are asking about. Who knows what other devils are still in there... OpenSSL is a one big messy lib and devs just keep treating it like a black box, so nobody has an actual idea what this piece of crap does inside. Title: Re: New OpenSSL vulnerability Post by: dabura667 on June 07, 2014, 12:59:09 PM AFAIK, the SSL part of OpenSSL is only used there for the new payment protocol and RPC-SSL (the one you switch on with -rpcssl command line switch). If you don't use any of the two features, you should not be affected by the vulnerability. At least the recently reported one - the one that you are asking about. Who knows what other devils are still in there... OpenSSL is a one big messy lib and devs just keep treating it like a black box, so nobody has an actual idea what this piece of crap does inside. I think there's a division of people in the NSA that their sole job is to create huge bugs that are hard to find and push them onto open source crypto projects. I'mma take my tin foil hat and uhhhh lock myself in a bunker for the rest of my life now... Title: Re: New OpenSSL vulnerability Post by: piotr_n on June 07, 2014, 01:02:08 PM I think there's a division of people in the NSA that their sole job is to create huge bugs that are hard to find and push them onto open source crypto projects. Of course there is.Mr Snowden was very specific about this, already like a year ago. And now they are trying to get his ass, just for exposing it. Title: Re: New OpenSSL vulnerability Post by: Sydboy on June 07, 2014, 01:23:20 PM I do not understand some of ths. Is the vulnerabilities relatrd to new version of openSSL or hjave they always been there but someone finally figuird out an exploit(s) ?
Title: Re: New OpenSSL vulnerability Post by: piotr_n on June 07, 2014, 01:31:00 PM I do not understand some of ths. Is the vulnerabilities relatrd to new version of openSSL or hjave they always been there but someone finally figuird out an exploit(s) ? From what I read, these vulnerabilities were there for years. The public finally figured them out, but for all we know someone could have just as well planted them there, on which case he'd have an exploit(s) ever since. After the heartbleed incident, people have finally started to seriously audit this code. These are just the first findings - I'm betting more will come. Title: Re: New OpenSSL vulnerability Post by: Sydboy on June 07, 2014, 01:37:01 PM thanks for clearinf that up, I understand now.
hearbleed was pretty annoyiny. God help us if they come up wth more and more. Atleas IT specialits wil have jobs :) |