The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,860 other subscribers

Archive for the ‘OpenSSL’ Category

Next Entries »

More OpenSSL and certificate things (in the aftermath of Heartbleed)

Posted by jpluimers on 2014/04/13

So you think Heartbleed is over. Think again. Not only servers are affected. Clients too. And you need to tighten your security even more.

Basically it comes down to this:

Expect all sites using HTTPS to have been vulnerable, and all data you exchanged to be captured. Unless you can have hard proof they were not vulnerable, or the traffic was not captured. If you have not started changing passwords, private keys, credit card numbers, etc: do so now.

and

In layman’s terms/pictures: xkcd: Heartbleed Explanation.

If you still don’t get it: anyone with any HTTPS connection to a once vulnerable system could copy data out of that system. There is no guarantee that data did not contain your identity (username, password, public key, credit card check-digits, etc) or server identity (private and public key).

Since often you cannot prove a system was using OpenSSL, there is no way to prove your data didn’t get copied.

Here are some interesting reads from last week:  Read the rest of this entry »

Posted in OpenSSL, Power User, Security | Tagged: | 1 Comment »

Android 4.1.1 Devices are Vulnerable to Heartbleed

Posted by jpluimers on 2014/04/13

Whereas the OpenSSL heartbleed vulnerability investigations initially were aimed towards servers, over the last few days the client side got more attention.

Ouch. This might count for more than 30% of the Android devices out there: Android 4.1.1 Devices are Vulnerable to Heartbleed.

Time to check which Android version your device is running.

The @Lookout security firm did some statistics and published them on Twitter:

Detector app data: Germany has the most affected phones at 12.46%. Check out our geographical break down: Read the rest of this entry »

Posted in OpenSSL, Power User, Security | 1 Comment »

xkcd: Heartbleed Explanation, or why you should reset passwords, certificates and request new credit cards.

Posted by jpluimers on 2014/04/11

In layman’s terms/pictures: xkcd: Heartbleed Explanation.

If you still don’t get it: anyone with any HTTPS connection to a once vulnerable system could copy data out of that system. There is no guarantee that data did not contain your identity (username, password, public key, credit card check-digits, etc) or server identity (private and public key).

Since often you cannot prove a system was using OpenSSL, there is no way to prove your data didn’t get copied.

–jeroen (who just discovered this is post #2000 on my blog; ain’t this cool? <g>)
Read the rest of this entry »

Posted in Internet, OpenSSL, Power User, Security | 8 Comments »

Heartbleed: Serious OpenSSL zero day vulnerability revealed | ZDNet

Posted by jpluimers on 2014/04/08

The fixed OpenSSL 1.01g is already available in source and for many platforms.

When do they become available anyone using OpenSSL 1.01 or 1.02 must deploy the patched version as fast as possible.

You also need to have all your certificates re-issued.

During the vulnerability period, your private keys may have been exposed, and there is no way to tell that they were not exposed.

Note the official binaries for Win32 1.01g are not available for yet (expect them soon), but the Indy team made Win32 and Win64 versions available.

Note that OpenSuSE did a backport of the patch to 1.01e for 12.3 and 13.1. Older openSuSE versions do not have updates for this issue, but you want to upgrade anything lower than 0.98 as they contain serious other vulnerabilities.

–jeroen

via

Posted in *nix, Delphi, Delphi 2006, Delphi 2007, Delphi 2009, Delphi 2010, Delphi 6, Delphi 7, Delphi XE, Delphi XE2, Delphi XE3, Delphi XE4, Delphi XE5, Development, Linux, OpenSSL, openSuSE, Power User, Security, Software Development, SuSE Linux | 7 Comments »

Thanks OSXDaily: Install wget in Mac OS X Without Homebrew or MacPorts

Posted by jpluimers on 2013/12/23

wget is immensely useful tool to download files using ftp, http and https, especially as it allows recursive downloads and mirroring with some very nice options.

Mac OS X doesn’t come with wget, and curl – the alternative for wget – cannot do recursion, so you need wrapper scripts for that.

Basically there are two ways to get wget installed on Mac OS X:

  1. Compile it from the source, then install it like Install wget in Mac OS X Without Homebrew or MacPorts.
  2. Download a prebuilt version like wget – Prebuilt binary for Mac OSX Lion, Snow Leopard and Mountain Lion | Tech Tach.

For both ways you need to remember that they won’t automatically update. So: keep an eye on wget security vulnerabilities, and update as soon as new ones have been found.

The first way (build from source) needs you to download and install Xcode first. Since I’m a Mac OS X developer, I already have that.

Luckily Install wget in Mac OS X Without Homebrew or MacPorts had instructions for the most current version when writing this blog entry. The binary from Tech Tach was outdated.

That, and the my feel for greater influence on the built proces makes me like the first way more.

Below are the commands I used (thanks OSXDaily!).

Check http://ftp.gnu.org/gnu/wget/ to make sure you downloaded the most current wget sourcecode. Read the rest of this entry »

Posted in *nix, Apple, Mac, Mac OS X / OS X / MacOS, Mac OS X 10.4 Tiger, Mac OS X 10.5 Leopard, Mac OS X 10.6 Snow Leopard, Mac OS X 10.7 Lion, OpenSSL, OS X 10.8 Mountain Lion, Power User, Security, wget | Leave a Comment »

Next Entries »