My slightly tipsy stream of consciousness on this:
Not surprising in any way. First, let's chat about the protocols that are vulnerable. TLS in general and SSL/HTTPS on Open SSL. TLS is ancient in internet years. The SSL version that they are talking about is the support for the old "nothing over 32 bit encryption for export" algorithms. Even Android with their fanatical backward compatibility doesn't continue support for either of them. Microsoft phased out TLS V1 years ago. Currently they support V2 and V3 on most of their major platforms and V3 only on the rest, neither of which is vulnerable. Even the full name of the exploit, Decrypting RSA with
Obsolete and Weakened eNcryption, tells you that this is an attack against older technologies. Granted, when SSL certs used to be very expensive, companies would buy wild card certificates (*.domain.com) and apply a single cert to all of their machines. Any company doing that today in the day of the 19.99 cert is a group of assclowns. That's what they would have to be doing to be vulnerable on the SSL side, which is what the article is describing. The vulnerability comes when the same private key is used for a current server as well as a server with the old exportable encryption. By definition that means using the same cert on both machines, which means a wild card cert. They exploit the key on the machine with older tech and then use it to decrypt traffic on the newer tech via man in the middle type attacks.
Rant On
Look, I've learned over the years that there are two major flaws with the Open Source movement that make it completely unpalatable for me.
1) Some parts of the code are sexier than others to work on. Let's face it, if a developer is contributing to say...the Linux OS... If they have a choice of maintaining the TCPv4 stack, which has been solid for 20 years, or contributing to a brand new feature that is going to revolutionize the way users perceive the OS, guess which one they are going to opt to work on? hint: not the TCP stack. The problem with this is that there are old flaws that hang around in the code for years without anyone noticing them. Did you know there was a buffer overrun exploit that existed IN THE MAIN LOGIN ROUTINE for Linux from 1991-2008? That's right, until 2008 a savvy person could take root level control of a Linux box by simply typing a 256 character username and then typing arbitrary C code after those 256 characters. The exploit that it was founded on (the cstr overrun) was a known exploit for 10 years before anyone realized that it affected the login prompt... Why? Because the login was considered "finished" and no one took the time to look at it. This SSL exploit falls in the same category. It's done and there's nothing exciting about maintaining old code.
2) Open Source at it's very heart is exploitative. Here's how it works in the real world. If I have an idea that I think will be big, but don't have the money, or want to spend the money, to hire programmers to turn it into a reality Open Source is the way to go. I put the idea on sourceforge, start working on the core of the code, but I hold back a few of the features that I believe will be valuable to users. I enlist a bunch of programmers that will work for me for free to build the core of my application. They contribute thousands of man hours of work to the project and build out the core. The application fails, no sweat, I don't have to pay anything for all that work. But, if the application takes off, I can hire the programmer that was the most help (and who can be hired) and I set up a paid support model. Then I set up the licensed version which has the features that I held back. From that point I have enough revenue to completely focus on the paid model and just leave the open source core out there for the mob to play with. Meanwhile I now have a viable product that I didn't have to pay a single penny to build... It's incredibly exploitative to the programmers that volunteer their time. Do you know how many thousands of programmers put in hundreds of hours working on Red Hat? The development costs would have been in the millions. Same for Open Office. Instead they got it for free and now commercial entities pay the same licensing costs as they pay for Windows (actually more for Red Hat Enterprise Linux) and the companies have revenue in the millions and billions. What did those thousands of programmers get? The pride of working on the application...that's it, nothing else, nada. With the exception of a very few people, the contributers to Open Source projects are idiots. The companies that use Open Source products are contributors to the mass exploitation of idealists. I wish them the best, but I have a limited amount of time on this earth and every second of my time has value. If you ever catch me contributing to an Open Source project, just go ahead and put me out of my misery.
Rant Off
Now where did I put my drink....
seriously, your reponse was quite impressive....I am still going over it in an attempt to understand. This kind of stuff is over my head, but I am trying to learn.
