# SSL & TLS Hacked?



## Brill (Mar 2, 2016)

@compforce , what say ye about the DROWN attack?

DROWN HTTPS Vulnerability Threatens 11 Million Open SSL Web Sites - Network Security on CIO Today


----------



## compforce (Mar 2, 2016)

lindy said:


> @compforce , what say ye about the DROWN attack?
> 
> DROWN HTTPS Vulnerability Threatens 11 Million Open SSL Web Sites - Network Security on CIO Today



My slightly tipsy stream of consciousness on this:

Not surprising in any way.  First,  let's chat about the protocols that are vulnerable.  TLS in general and SSL/HTTPS on Open SSL.  TLS is ancient in internet years.  The SSL version that they are talking about is the support for the old "nothing over 32 bit encryption for export" algorithms.  Even Android with their fanatical backward compatibility doesn't continue support for either of them.  Microsoft phased out TLS V1 years ago.  Currently they support V2 and V3 on most of their major platforms and V3 only on the rest, neither of which is vulnerable.  Even the full name of the exploit, Decrypting RSA with *Obsolete and Weakened* eNcryption, tells you that this is an attack against older technologies.  Granted, when SSL certs used to be very expensive, companies would buy wild card certificates (*.domain.com) and apply a single cert to all of their machines.  Any company doing that today in the day of the 19.99 cert is a group of assclowns.  That's what they would have to be doing to be vulnerable on the SSL side, which is what the article is describing.  The vulnerability comes when the same private key is used for a current server as well as a server with the old exportable encryption.  By definition that means using the same cert on both machines, which means a wild card cert.  They exploit the key on the machine with older tech and then use it to decrypt traffic on the newer tech via man in the middle type attacks.

Rant On
Look, I've learned over the years that there are two major flaws with the Open Source movement that make it completely unpalatable for me.

1) Some parts of the code are sexier than others to work on.  Let's face it, if a developer is contributing to say...the Linux OS...  If they have a choice of maintaining the TCPv4 stack, which has been solid for 20 years, or contributing to a brand new feature that is going to revolutionize the way users perceive the OS, guess which one they are going to opt to work on?  hint: not the TCP stack.  The problem with this is that there are old flaws that hang around in the code for years without anyone noticing them.  Did you know there was a buffer overrun exploit that existed IN THE MAIN LOGIN ROUTINE for Linux from 1991-2008?  That's right, until 2008 a savvy person could take root level control of a Linux box by simply typing a 256 character username and then typing arbitrary C code after those 256 characters.  The exploit that it was founded on (the cstr overrun) was a known exploit for 10 years before anyone realized that it affected the login prompt...  Why? Because the login was considered "finished" and no one took the time to look at it.  This SSL exploit falls in the same category.  It's done and there's nothing exciting about maintaining old code.

2) Open Source at it's very heart is exploitative.  Here's how it works in the real world.  If I have an idea that I think will be big, but don't have the money, or want to spend the money, to hire programmers to turn it into a reality Open Source is the way to go.  I put the idea on sourceforge, start working on the core of the code, but I hold back a few of the features that I believe will be valuable to users.  I enlist a bunch of programmers that will work for me for free to build the core of my application.  They contribute thousands of man hours of work to the project and build out the core.  The application fails, no sweat, I don't have to pay anything for all that work.  But, if the application takes off, I can hire the programmer that was the most help (and who can be hired) and I set up a paid support model.  Then I set up the licensed version which has the features that I held back.  From that point I have enough revenue to completely focus on the paid model and just leave the open source core out there for the mob to play with.  Meanwhile I now have a viable product that I didn't have to pay a single penny to build...  It's incredibly exploitative to the programmers that volunteer their time.  Do you know how many thousands of programmers put in hundreds of hours working on Red Hat?  The development costs would have been in the millions.  Same for Open Office.  Instead they got it for free and now commercial entities pay the same licensing costs as they pay for Windows (actually more for Red Hat Enterprise Linux) and the companies have revenue in the millions and billions.  What did those thousands of programmers get?  The pride of working on the application...that's it, nothing else, nada.  With the exception of a very few people, the contributers to Open Source projects are idiots.  The companies that use Open Source products are contributors to the mass exploitation of idealists.  I wish them the best, but I have a limited amount of time on this earth and every second of my time has value.  If you ever catch me contributing to an Open Source project, just go ahead and put me out of my misery.

Rant Off

Now where did I put my drink....


----------



## Gunz (Mar 2, 2016)

Wow


----------



## Kraut783 (Mar 2, 2016)

All I understood was....

"Now where did I put my drink..."


----------



## compforce (Mar 2, 2016)

Kraut783 said:


> All I understood was....
> 
> "Now where did I put my drink..."



Let me paraphrase:

Open Source programmers want to kick in doors, they don't want to make sure the wells they built last year still have clean water
Open Source = Socialism of the IT world complete with exploitation of the workers for the benefit of the wealthy

I found my drink...


----------



## AWP (Mar 2, 2016)

compforce said:


> My slightly tipsy stream of consciousness on this:...



Nicely done.


----------



## Kraut783 (Mar 2, 2016)

Much better comforce ... That I understood  seriously, your reponse was quite impressive....I am still going over it in an attempt to understand. This kind of stuff is over my head, but I am trying to learn.


----------



## Ranger Psych (Mar 2, 2016)

compforce said:


> My slightly tipsy stream of consciousness on this:
> 
> FUKKEN TRUTH STREAM FIREHOSE STYLE
> 
> Now where did I put my drink....



This is exactly the same thing I've been thinking for years with open source stuff. It's literally not any better than anything else, and in the case of some things, is a hell of a lot worse than something that had a proper dev-crew do QA, etc. Are you going to catch everything? No. You can NEVER discount the ingenuity of a user or a "threat" to be able to find a novel, new, and totally unforeseen method to break your shit. But, for all of it's vices, paid stuff has had a lot more real work and real effort put forth to try to get a good product out there.


----------



## AWP (Mar 3, 2016)

Just to highlight some points made by @compforce and @Ranger Psych. While some of these are more than a decade old, the concept remains the same. The assertion that essentially volunteer developers will choose to find all of the holes and develop all of the patches is ludicrous because it assumes the programmers are without human traits.

"Open source" infighting grows - CNET

BitKeeper: No holds barred open source infighting | ZDNet



> BitMover, the US-based company behind BitKeeper, agreed to make the tool available free of charge to open source developers, on the condition that developers using BitKeeper would not create a competing product. But now it seems that some open source developers haven't kept up their end of the bargain. Bitmover recently announced that it will be phasing out its free BitKeeper product to allow it to focus on its commercial version.



Enterprise Efficiency - Andrew Froehlich - Linux Infighting Might Be Opportunity for Windows Server

Linux kernel patch releases "code of conduct" - TechRepublic

An Overview of AngularJS for Managers



> However, there are many positives about the AngularJS team all working for Google. For one, having one commercial entity control the framework can often be a positive because it completely avoids infighting between political factions. In the open source world, this infighting can be public and nasty, detracting for the team's purpose of building great software. Forks of open source software can often be bad for consumers, especially in the short term where battle lines are drawn and collaboration ceases.
> 
> Just look at one of the recent high profile fights between the two of the company's backing Node.js, Joyent and Strongloop. You company can certainly do without all this manufactured developer drama happening while you're trying to build enterprise grade software.



NSA & Open Source: Another Controversy Brewing? | Sonatype Blog


----------

