Re: Audit: don't only focus on heartbleed issue

[Reindl Harald <h.reindl () thelounge net>]

and the others need a MITM attack which is not *that* easy
as connect to a server and send a heartbleed-packet without
anything in the logs of the attacked server

frankly outside a public hotspot / untrusted network nobody
but the NSA and otehr agencies are able to really to MITM


Am 16.04.2014 20:03, schrieb Ron Bowes:
> Are there actually any real-world attack scenarios for BEAST, CRIME, or
> Lucky-thirteen?
>
> Heartbleed has been used in actual legitimate attacks, but those earlier
> attacks all seem pretty tame in comparison. Worth fixing, of course, but
> they don't seem *as* critical to me.
>
> On Wed, Apr 16, 2014 at 3:10 AM, Shawn <citypw () gmail com> wrote:
>
> > After an exciting and crazy week. People are getting calm and plan or
> > already start to doing audit on their system. But there are something
> > you might miss. The older version of OpenSSL( like 0.9.8) might not
> > affected by heartbleed issue but it doesn't mean you are secure. Don't
> > forget the old OpenSSL are still vulnerable to BEAST( 2011), CRIME(
> > 2012), Lucky-thirteen( 2013)[1]. I do believe Lucky-thirteen is far
> > more dangerous than heartbleed, we just don't know. Once you start the
> > audit, plz upgrade the OpenSSL to the latest version. If you are using
> > 0.9.8, plz upgrade to 0.9.8y, which is not vulnerable to Lucky-13
> > issue.
> >
> > Fix heartbleed issue for website is much easier than the networking
> > devices( Firewall, UTM, SSL/IPSEC VPN, etc) and the 3rd-party
> > software. This definitely gonna impacting for long term.
> >
> >
> > [1] http://www.isg.rhul.ac.uk/tls/

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/