Researchers recently announced the discovery of an incredibly dangerous bug in the OpenSSL encryption library. That library is used by about two thirds of websites, and many VPNs and other secure communications services.
The problem is in a memory leak that allows an attacker to request heartbeat responses which will contain up to 64KB of memory, and to do so over and over without being detected. This has already been shown to be able to capture the server’s RSA secret key. That is the key used to authenticate communications with the clients, and to encrypt the session keys. Other data could be captured as well, but those keys are really the biggest threat.
An attacker with that key could perfectly impersonate the server, or run man in the middle attacks undetectably.
It is unknown if, or how often, this attack has been run in the wild. It is entirely possible that major players, like national intelligence services, may have known about this for some time, and could have been silently intercepting traffic to certain websites, potentially for over 2 years. We just don’t know. There is a call for researchers to set up test sites to detect this activity going forward, but there is no way to know if it happened in the past.
The solution is non-trivial. All affected services need to install the recently available patch to fix the underlying problem. They then need to address the possibility that their keys have been stolen. All server certificates need to be revoked, so clients will know to reject them, and new certificates created and distributed. This is likely to take time, and many sites will be very slow to respond.
- Zombie iPhone Bluetooth settings
- Proposed Australian encryption regulations
- More from the Mt. Gox and bitcoin saga
- The cat and mouse of censorship and circumvention in Turkey
Yesterday the Turkish Constitutional Court ruled that the blocking of Twitter violated the guarantees of free speech in the Turkish Constitution.
The government appears to have acted quickly to remove the blocks on Twitter’s IP addresses as well as the changes to DNS as ordered.
Celebratory tweets are gushing out over the wires.
Back in 2010 I blogged about Google’s legal troubles over capturing sensitive open Wi-Fi data with their Street View cars.
In a nutshell, Google was accused of violating the federal Wiretap Act when it intercepted the data on open Wi-Fi networks it passed. The purpose was to capture just the MAC addresses of the base stations to improve their enhanced location services. It appears that recording small amounts of data was accidental. Certainly if they were trying to collect data, they could easily have grabbed much more.
Google lost that case and is now appealing to the Supreme Court, hoping to overturn the decision.
Obviously it was inappropriate for a company like Google to drive around sniffing people’s Wi-Fi traffic, but they are not really the threat. What we all need to be worried about is hackers war driving our neighborhoods, either using our networks to hide their illegal activities, or capturing our personal information for their own purposes.
Whatever the legal outcome of whether it is “OK” to sniff someone’s open Wi-Fi traffic, the reality is that people do, and doing so is trivial. Anyone with a laptop can download free software and be sucking down all the Internet activity in their local coffee shop in just minutes. I think laws like this give a false sense of security. It is like saying that, as you walk down the sidewalk, you can not look in through your neighbor’s big picture window at night when they leave the curtains open.
Thinking that people are “not allowed” to sniff your open Wi-Fi just gives a false sense of security. What we need to do is make sure that ALL Wi-Fi is securely encrypted. Even public Wi-Fi should be encrypted, even if the password is “password” and is posted prominently on the wall. Using encryption changes the situation from looking though a window as you walk by to drilling a peep hole through the wall.
None of should be in denial about this. Open Wi-Fi is insecure. It will be sniffed.
If you find yourself in a situation where you have to use an open Wi-Fi hotspot, for whatever reason, make sure you immediately establish a VPN to protect yourself. I might be biased, but I use Anonymizer Universal for this purpose.
In their continuing effort to suppress discussion of corruption in the Turkish government, they have extended their censorship efforts from blocking Twitter to blocking Youtube. This appears to be in response to Google’s refusal to remove “offending” videos.
Reports suggest that the blocking is not completely effective. If you are in Turkey and being blocked, Anonymizer Universal is able to bypass the censorship. Our two week trial provides a quick solution.