Slashdot Mirror


OpenSSL Hit by Forgery Bug

Daniel Cray writes to tell us ZDNet is reporting that OpenSSL versions up to 0.9.7j and 0.9.8b are vulnerable to a signature forgery technique. OpenSSL has already released an update fixing the problem. From the article: "The flaw only affects a particular type of signature — PKCS #1 v1.5 signatures — but these are used by some certificate authorities... The signature forgery technique was first demonstrated last month at the Crypto 2006 conference by Daniel Bleichenbacher, a cryptographer with Bell Labs, according to security firm Netcraft. OpenSSL credited Google Security with successfully forging various certificates and providing the fix."

3 of 69 comments (clear)

  1. Google saves the day... by Anonymous Coward · · Score: -1, Flamebait

    Wonder if Google Desktop search can help me find all the bugs in Windows...

  2. And the echo by JustOK · · Score: -1, Flamebait

    I think I'm hearing the echo of someone saying that there was no hole, and that it was Pres. Bush ordering a new backdoor be put into it. "Its to protect us from the terrorists, and that's not evil."

    --
    rewriting history since 2109
  3. Security and open source by The_Abortionist · · Score: -1, Flamebait

    One of the fallacies of the open source movement is the belief that all the users access the code and help each other out in order to build the perfect software. How many people look at this and that in the linux source to find all the bugs? Millions? More like 3-4. And that's generous because it's probably just the developer doing the code while rest give a quick gaze at checkin.

    In the case of security, the lack of real benevolent oversight is compounded by constant verification by hackers and criminals in order to find the smallest security lapse. Then, they share the knowledge amongst each other and then they are free to wreck havock. Wreck havoc not until a fix is produced, that's usually done pretty quickly, but until the fix propagates everywhere.

    Someone who uses any open source software must constantly look at the news, like on slashdot, to see if they need to download a new version of the software. If they miss a day, they can be 100% vulnerable.

    Now everybody who uses OpenSSL embedded in whatever application must carefully wait for an update to become available to that particular software. Who knows when? Until then, they are completely vulnerable to anyone who can read a usenet post.

    --
    Linux violates 235 Microsoft patents.