SecurityRatty: tag: openssl

Debian OpenSSL Blunder

2008-05-15 09:19:37 by Editor in Cheap Hack

...OpenSSL in September 2006. As Moore explains it , the problem began when the team addressed a different potential vulnerability having to do with uninitialized data. To fix it, they removed one line of code. Moore shows how this had "...the side effect of crippling the seeding process for the OpenSSL PRNG." (PRNG is pseudo-random number...

Tags: openssl, bit rsa keys, keys, public key, public, public keys, moore explains, moore, debian

More On The Debian OpenSSL Blunder

2008-05-18 13:17:44 by Editor in Cheap Hack

...OpenSSL bug that I'm surprised I hadn't seen before. (This is a fun blog and I highly recommend it. And yes, I'm ripping off his use of the image below As Debian revealed in their disclosure, the bug was created because they removed a line of code based on a warning from the Purify tool that the code, part of the random number generator, was...

Tags: debian, openssl, debian openssl bug, bug, code, code based, microsoft, microsoft crypto api, random factor

Random Number Bug in Debian Linux

2008-05-19 06:07:59 by schneier in Schneier on Security

...OpenSSL package they were distributing. The bug in question was caused by the removal of the following line of code from md rand.c MD Update(&m,buf,j); [ .. ] MD Update(&m,buf,j); /* purify complains These lines were removed because they caused the Valgrind and Purify tools to produce warnings about the use of uninitialized data in any code...

Tags: random, openssl, openssl team, random data, process, debian, current process, openssl package, bug

Free Certificate Reissuance From VeriSign

2008-05-17 07:20:37 by Editor in Cheap Hack

...OpenSSL implementation , VeriSign is offering free reissuance of certificates . Patching the flawed software is not enough: certificates containing public keys generated by the buggy versions of OpenSSL have to be revoked and replaced with new copies generated by fixed versions of the software. For customers of trusted certificate authorities...

Tags: verisign, software error, software, rapidssl ssl, openssl implementation, recent severe bug, openssl, ssl, buggy versions

Got Entropy ?

2008-04-02 02:55:47 by Erik T. Heidt in Art of Information Security

...OpenSSLs) allow the addition of entropy from outside sources. So I started looking to Entropy sources I could use to bolster the RNGs on my virtual hosts (and other uses). While I was looking into this, it occurred to me that I had an unused TV tuner card, a PVR-350 When a TV is tuned to a channel with no local station, the snow on the screen...

Tags: entropy, random, 32-byte random, byte, hardware random, entropy sources, sequence, random sequence, pull entropy

Episode 2 and Beyond - A Few Teasers

2007-12-12 04:15:16 by Erik T. Heidt in Art of Information Security

...openSSL and I am dying to start discussing some real world cryptography topics Just to name a few What I would really like to do is find out what topics you are interested in, so that Art of Information Security can have relevant and compelling content. To address this need I have created a feedback section on the site, located in the main...

Tags: episode, information security, risk management series, source security tool, feedback section, feedback, art, main menu bar, quick intro

True Randomness

2008-05-21 16:36:10 by Editor in Cheap Hack

...OpenSSL bug. It inspired web developer Bo Allen to look into the randomness of the PHP rand() function. He compared it to the results from random.org , which uses atmospheric noise as a random seed. The result is a visually clear example of randomness and not-so-randomness. Read the blog, you'll see what I mean. Allen's test makes me think...

Tags: random, random seed, randomness, programmatic random, debian openssl bug, time, atmospheric noise, web developer, php rand

Free SSL Certs for Debian Bug Victims from Comodo

2008-05-22 10:12:19 by Editor in Cheap Hack

...OpenSSL bug , certificate authority Comodo is offering free replacement SSL certificates to anyone affected , including customers of other CAs. Comodo customers can just go into their accounts and replace their certificates with a new Certificate Signing Request. Customers of other CAs can get their free certificate at this site . Comodo says...

Tags: comodo, free, comodo customers, customers, free replacement ssl, authority comodo, debian openssl bug, cas, outdo verisign

Can I just comment out these lines of code?

2008-05-23 10:53:20 by Burton Group in Security and Risk Management Strategies Blog

...openssl" for more discussions than I can link to The action - making a change without following a standardized process - is certainly not unique to this situation, and "the system was slow so I turned off this feature", or "I just fiddled around with it and it just started working" are phrases all too commonly heard in many aspects of IT....

Tags: process purportedly, process, fix specific process, software development process, commercial development process, code, low-assurance process, development, specific

Can I just comment out these lines of code?

2008-05-23 10:53:20 by Burton Group in Security and Risk Management Strategies Blog

Your name:
Your email:
Describe a problem:
AntiSPAM Validation:

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo