Jump to content

Well, this isn 't good

G+_Neil Sedlak

By G+_Neil Sedlak,
in This is TWiT

 Share

Recommended Posts

G+_Justin Phebey Newbie

G+_Justin Phebey

Posted
Posted

"The researchers, who work at Google and software security firm Codenomicon, said even after vulnerable websites install the OpenSSL patch, they may still remain vulnerable to attacks. The risk stems from the possibility that attackers already exploited the vulnerability to recover the private key of the digital certificate, passwords used to administer the sites, or authentication cookies and similar credentials used to validate users to restricted parts of a website. Fully recovering from the two-year-long vulnerability may also require revoking any exposed keys, reissuing new keys, and invalidating all session keys and session cookies."

 

This part is particularly interesting since the article mentions no server log trace is left and not knowing whether the security has already been compromised. Surely the addition of the quoted revocations need to be implemented as standard rather than some just applying the patch? ?

 

I'm guessing there's no way an end user can tell whether they're using a connection that has been patched, let alone the complete revocations implemented?

Link to comment
Share on other sites
G+_Justin Phebey Newbie

G+_Justin Phebey

Posted
Posted

"The researchers, who work at Google and software security firm Codenomicon, said even after vulnerable websites install the OpenSSL patch, they may still remain vulnerable to attacks. The risk stems from the possibility that attackers already exploited the vulnerability to recover the private key of the digital certificate, passwords used to administer the sites, or authentication cookies and similar credentials used to validate users to restricted parts of a website. Fully recovering from the two-year-long vulnerability may also require revoking any exposed keys, reissuing new keys, and invalidating all session keys and session cookies."

 

This part is particularly interesting since the article mentions no server log trace is left and not knowing whether the security has already been compromised. Surely the addition of the quoted revocations need to be implemented as standard rather than some just applying the patch? ?

 

I'm guessing there's no way an end user can tell whether they're using a connection that has been patched, let alone the complete revocations implemented?

Link to comment
Share on other sites
 Share
Go to topic listing
×
×
  • Create New...