It was discovered that APT, the high level package manager, does not properly invalidate unauthenticated data (CVE-2014-0488), performs incorrect verification of 304 replies (CVE-2014-0487), does not perform the checksum check when the Acquire::GzipIndexes option is used (CVE-2014-0489) and does not properly perform validation for binary packages downloaded by the apt-get download command (CVE-2014-0490).
For the stable distribution (wheezy), these problems have been fixed in version 0.9.7.9+deb7u3.
For the unstable distribution (sid), these problems have been fixed in version 1.0.9.
We recommend that you upgrade your apt packages.
— Permalien
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
Tester ses serveurs:
http://s3.jspenguin.org/ssltest.py
http://possible.lv/tools/hb/?sp
Lire aussi:
https://www.pcinpact.com/news/86934-openssl-faille-heartbleed-menace-securite-web-sites-ferment.htm
https://www.peereboom.us/assl/assl/html/openssl.html
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
Surveiller ses connexions:
tshark -i eth0 -R "ssl.record.content_type eq 24 and not ssl.heartbeat_message.type"
— Permalien
You might have heard about the critical GnuTLS bug that was recently fixed recently. What's the deal with it? Why is it a big deal? What happened?
— Permalien
Cryptocat is run by people that don't know crypto, make stupid mistakes, and not enough eyes are looking at their code to find the bugs. Cryptographers know the minimums or at least know you should look them up. Cryptocat tried BPKDF2, RSA, Diffie-Hellman, and ECC and managed to mess them all up because they used iterations or key sizes less than the minimums. There was a bug in the generation of ECC private keys that went unchecked for 347 days. They seem to not understand simple programming concepts such as a byte vs a decimal digit character: "Fix inaccurate comment". Both comments are wrong since "Cryptocat.randomString(64, 0, 0, 1, 0)" generates a string that is 64 decimal digits which is 212.6 bits or 26.6 bytes.
[...]
What do I think of Cryptocat?
Cryptocat's public key scheme is now good after being bad since pretty much the beginning. I would suggest not using Cryptocat as there's no telling how long it will be until they break their public key encryption. Good news is if they read this they'll make a better effort not to change public key algorithms or the way they generate private keys. I'm sure there are plenty of bugs and other bad crypto in other parts because I only looked at random generation and found a bug, at public key algorithm and found a bug, and quickly looked where random is used and found something scary.
What did I get out of this?
Even though I qualified for their bug bounty I never got anything. My guess is my bug is too big. Since it means that all messages after May 7th, 2012 are crackable. In a comment I was ask for my name, but I have not been added to their bug hunt page. I guess should have "t-shirt, sticker, money, and a mention on our Wall of Unquestionable Greatness!" coming sometime, but haven't heard anything about it.
Well I had fun writing DecryptoCat. Also I learned a new word "encraption". Thanks for that one azonenberg from irc.freenode.net. Also I learned that it means nothing when I hear "it is open source and peer reviewed".
— Permalien
Petite listes d'outils python pour déboguer.
je laisse ça ici c'est bien pratique.
— Permalien