Slashdot Mirror
Old Crypto Vulnerability Hits Major Tech Firms (securityweek.com)
wiredmikey writes: A team of researchers has revived an old crypto vulnerability and determined that it affects the products of several major vendors and a significant number of the world's top websites. The attack/exploit method against a Transport Layer Security (TLS) vulnerability now has a name, a logo and a website. It has been dubbed ROBOT (Return Of Bleichenbacher's Oracle Threat) and, as the name suggests, it's related to an attack method discovered by Daniel Bleichenbacher back in 1998. ROBOT allows an attacker to obtain the RSA key necessary to decrypt TLS traffic under certain conditions. While proof-of-concept (PoC) code will only be made available after affected organizations have had a chance to patch their systems, the researchers have published some additional details. Researchers have made available an online tool that can be used to test public HTTPS servers. An analysis showed that at least 27 of the top 100 Alexa websites, including Facebook and PayPal, were affected.
We already have enough problems with the Ive-ification of fonts, i.e. thin and pale fonts which are hard to read and lack contrast.
#DeleteFacebook
I've got lots of old stuff in use. The big issue is where do I draw the line between generating e-waste and using older energy hungry hardware instead of something more efficient?
The preceding post was not a Slashvertisement.
First Post!
And they run when the sun comes up
With their lives on the line
For a while
Gotta follow the laws of the wild
With their lives on the line
Out here only the strong survive
Your e-post is e-waste on the e-wrong e-article on this e-website on the e-internet!
For instance: WIRELESS CHARGING
Horribly inefficient and solely for convenience. I know a guy who watched that polar bear video and was all sad, then he went and wirelessly charged his phone. Talk about pretend friend to the environment! Long story short that guy was me.
lol
Fuck that stupid propaganda video.
Wireless charging should have been standard for cell phones ten years ago. Wireless charging was commonplace for electric toothbrushes back then.
Pat Sajak (/ s e d æ k / SAY-jak, born Patrick Leonard Sajdak; October 26, 1946) is an American television personality, former weatherman, and talk show host ... who knows mmore about the game show racket? & vana would be able to help re; id/ing lecherous guys.. so we can move on from our stale/moldy deadspace debates? cease fire stand down there's women & children in all of our towns... getting over ourselves seems almost unlikely?
The big issue is where do I draw the line between generating e-waste and using older energy hungry hardware instead of something more efficient?
Where the question of longevity comes in. Compare stuff made 40-50 years ago to what's made today, including some of the stuff that has "planned obsolescence" built in or really shady shit like with video cards(see where nvidia degraded performance on cards when new models come out). My parents are still using the same refrigerator that they bought when they got married in the mid 1970's. Is it inefficient? Yep. Does the damn thing weigh an assload? Yep. But it's also built like a tank and keeps going. Where as the new fridge that they bought to replace it because "it was more efficient" and it failed. In fact it failed so badly and there were so many of them that there was multiple class action lawsuits(see Samsung refrigerators).
Om, nomnomnom...
So, bad news for those fancy currencies - or are we using Crypto to mean cryptography again? Decide already.
Wireless charging is convenient, and it can extend the life of your phone if you would otherwise run into charging port issues. I switched to wireless charging when my phone complained of a wet charging port, since it bypasses the water detection.
The power loss is minimal for a device like my phone that doesn't really use that much power. You're much better off worrying about other ways of saving power. Turning off a light when you're not in the room can save a ton more power. Switching just a single bulb to LED saves far more power. Consider a smart powerstrip that kills power to auxiliary devices when you turn your TV off (sound bar, DVD player, cable box, Roku stick adapter, etc.).
There are tons of ways to be more efficient. Don't harass someone for ignoring one minor inefficiency in favor of convenience.
welcome our new ROBOT overlords.
The attack does not give an attacker access to the private key. It's an oracle attack. It enables decryption of traffic without the key.
The https test site is here: https://robotattack.org/
Updates? Since 1998? Liability? Damage?
To add to this, there is actually a way for wireless charging to be MORE efficient. The USB port on my Galaxy S5 is wearing out. The phone supports optional wireless charging. A buddy of mine gave me a charging pad for free, and all I needed was the accessory to sit inside the battery compartment of the phone. Now I can continue to use the phone without the worry or need to replace it just because the wired charging port is going bad on it.
You aren't putting your cell phone under water and then sticking it in your moist mouth and then rinsing it off when finished.
Water environments introduce electrical shock risks. Wireless charging makes sense for electric toothbrushes because they are almost always in wet zones of a person's residence.
Wow - how did I do this?
This was supposed to be a reply to the e-waste posting, not the crypto one. I guess I clicked back to the wrong tab or something. When people come into my office and interrupt my train of thought I make mistakes. I was upset someone marked me off-topic until I realized I was playing in the wrong playground.
The preceding post was not a Slashvertisement.
Or you could simply replace the USB port: https://www.ebay.com/sch/i.html?_nkw=samsung%20s5%20usb%20port%20flex
Pretty much every piece of F5 equipment I've ever come across has usually been somehow fucked up, insecure or somehow non-operational in some retarded way. Years ago we had an F5 appliance doing TLS offload for us, but for some fucking reason it was mixing up data that came in via HTTP pipelining from the backend servers. So we had users getting credit card statements for other people. Terribly useful shit, I tell you.
"We hacked Facebook with a Bleichenbacher Oracle"
Today I'm re-writing a TLS (ssl) client to use the same hacky workarounds other clients have to use because F5 tries to read the ClientHello request into 256 byte buffer. The full packet is 684 bytes, and standards compliant. Since F5 standards compliant, we have to try three time to initiate a TLS connection, with three ClientHello requests, each under 256 bytes.
From the OP:
"ROBOT allows an attacker to obtain the RSA key necessary to decrypt TLS traffic under certain conditions."
As far as I can tell from reading the attack, this is not true. The attack lets you use the server as an oracle, that is, you can exploit the protocol to trick the server into signing arbitrary data with the server's private RSA key. I think this could be leveraged to mount a MITM attack, but it could not be used to recover the private RSA key. If the RSA private key was recoverable from a flaw in the TLS protocol, that would be a much bigger finding.
Its just me...or we are getting threads from other (random) topics
Higuita
Speak for yourself I out my phone in my mouth all the time.
Or you could do your part in stopping the destruction of the plant as we know it by switching incans to LED and turning them off when you arenâ(TM)t on the room AND charging by wire. Sad state of affairs when someone stops one bad habit to justify another.
And by the way I donâ(TM)t have a TV or a Roku whatever or a sound bar because I donâ(TM)t want the future to be a mad max style dystopia like you are aparrently ok with.
Will there be an ATM machine on this Internet network?