Kurt just uploaded a version of OpenSSL to unstable that disables
the TLS 1.0 and 1.1 protocol. This currently leaves TLS 1.2 as the
only supported SSL/TLS protocol version.
This will likely break certain things that for whatever reason
still don’t support TLS 1.2. I strongly suggest that if it’s not
supported that you add support for it, or get the other side to
add support for it.
OpenSSL made a release 5 years ago that supported TLS 1.2. The
current support of the server side seems to be around 90%. I hope
that by the time Buster releases the support for TLS 1.2 will be
high enough that I don’t need to enable them again.
Between 2016-09-22 – 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months.
Requests to sites with the HTML rewrite features enabled triggered a pointer math bug. Once the bug was trigerred the response would include data from ANY other cloudfare proxy customer that happened to be in memory at the time. Meaning a request for a page with one of those features could include data from Uber or one of the many other customers that didn’t use those features. So the potential impact is every single one of the sites using CloudFare’s proxy services (including HTTP & HTTPS proxy).
“The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day” — sauce
What action should you take?
As a precaution, change passwords for the following affected sites**: Reddit, Discord, Uber, Yelp, OKCupid, 4Chan, Mangafox, Crunchyroll, Patreon, Stackoverflow, and many more.
- curse.com (and some other Curse sites like minecraftforum.net)
The full list can be found here: <https://github.com/pirate/sites-using-cloudflare>
Official post: <https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/>
Please make sure to change your passwords as this **most likely affects everyone** and stay safe!
One unfortunate (albeit entirely predictable) consequence of making HTTPS certificates “fast, open, automated, and free” is that both good guys and bad guys alike will take advantage of the offer and obtain HTTPS certificates for their websites. Continue reading “Now that everybody can push CA to websites, so does the bad guys.”
Finnish web developer Viljami Kuosmanen has published a demo on GitHub that shows how an attacker could take advantage of browsers that support autofill profiles and leaves you exposed to leaking unwanted information!
This is a simple demonstration of form fields hidden from the user, but will be filled anyways when using the browser form autofill feature, which poses a security risk for users, unaware of giving their information to the website.
Wordfence, a WordPress security firm investigates the JAR-statement by and did not find any Russian connection, just plain malware Continue reading “Wordfence investigation on the alleged russian hacking”
The biggest practical development in crypto for 2016 is the finalization Transport Layer Security version 1.3. TLS is the most important and widely used cryptographic protocol and is the backbone of secure Internet communication.
How might users notice TLS 1.3?
Speed. TLS 1.3 is designed for speed, specifically by reducing the number of network round-trips required before data can be sent to one round-trip (1-RTT) or even zero round-trips (0-RTT) for repeat connections.
These ideas have appeared before in experimental form through the QUIC protocol and False Start for earlier TLS versions, but as part of the default behavior of TLS 1.3 they will soon become much more widespread. This means latency will decrease and webpages will load faster.
TLS 1.3 should be a big improvement security-wise.
First, the protocol is much simpler by removing support for a number of old protocol features and obsolete cryptographic algorithms. Additionally, TLS 1.3 was designed with the benefit of model checking (which has been used to find flaws in many older versions of TLS and SSL).
What are you waiting for?
Now, all we need to do is wait for OpenSSL to release a updated version with TLS. 1.3, something they are working on. Or if you don’t have time for that, you could build OpenSSL from source yourself.