Eavesdrop free chat lines
Tags: Internet, keys, man-in-the-middle attacks, passwords, patching, SSL, vulnerabilities, web, zero-day Posted on April 9, 2014 at AM • 319 Comments Update the certificate like in requesting a new one based on the same public key is not enough, because your private key might have been stolen.
Renew your public/private key pair and then request a new certificate.
In that Microsoft code seem to be comments like private\inet\mshtml\src\core\cdbase\baseprop.cxx: // HACK! REMOVE THIS ONCE MARLETT IS AROUND private\inet\mshtml\src\other\moniker\resprot.cxx: // goto End Hack; // private\inet\mshtml\src\site\layout\flowlyt.cxx: // God, I hate this hack ...
private\inet\wininet\urlcache\filemgr.cxx: // ACHTUNG!!! this is a special hack for IBM antivirus software private\ntos\w32\ntuser\client\dlgmgr.c: // HACK OF DEATH: So, which bugs can be expected in these closed source crypto libraries from Microsoft, if openssl has bugs like heartbleed?
The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. Possible evidence that Heartbleed was exploited last year.
This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. EDITED TO ADD (4/10): I wonder if there is going to be some backlash from the mainstream press and the public.
• April 9, 2014 AM "If the US agencies knew of and exploited this bug, then why all the legal wrangling with lavabit for their SSL keys? If collected evidence has to be presented in court, the agency can show a legal means by which it was collected, without revealing the vulnerability or the illegal act of exploiting it against a US company.
This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected. An upgrade path that involves the trash, a visit to Best Buy, and a credit card isn't going to be fun for anyone.Those first weeks after Snowden might have been a bit panicky and a bit disorganized at NSA.• April 9, 2014 AM @Dimitris Andrakakis, see the comments here and the following ones: https:// Perhaps it is indeed irelevant whether the bug was deliberately placed or not, since it may be used nevertheless. And a german programmer as an nsa agent sounds a bit far reaching.• April 9, 2014 AM "Update the certificate like in requesting a new one based on the same public key is not enough, because your private key might have been stolen.Renew your public/private key pair and then request a new certificate." Yes. • April 9, 2014 AM @Boris 'pi' Piwinger Fefe has a nice piece on that on his blog. mon=201404 Basically: It was added by a T-Systems employee (biggest telecommunication company in germany and mostly owned by the state...• April 9, 2014 AM "why all the legal wrangling with lavabit for their SSL keys?" Not everything uses vulnerable version of Open SSL, maybe lavabit did not.With microsoft, the nsa even has an enormous advantage: Microsoft itself claims that it had to give important design information of the crypto libraries to the nsa for reviewing. So the nsa might know the windows sourcecode, but we do not, thereby the nsa has it very easy when they make exploits for microsoft crypto functions.I see that one can (illegally) get parts of the windows 2000 sourcecode on piratebay Perhaps by looking at that, one can tell what the nsa key really is for. (Mohan B) In order to fix #64710 at this very late private\inet\mshtml\src\core\cdutil\genutil.cxx: // HACK HACK HACK.• April 9, 2014 AM "If the US agencies knew of and exploited this bug, then why all the legal wrangling with lavabit for their SSL keys?" My guess is that they learned about this -- and started exploiting -- this bug yesterday, along with everyone else who is fast enough to do that.