Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Comment Re:If GNUTls is unneeded, then create a NO-OP libr (Score 1) 144

I feel like I'm spelling out the obvious, but: mail server A opens a TLS connection to mail server B to transfer mail, which starts with a TLS handshake, requiring B to send its public key A. The attacker intercepts the message and sends his public key to A, and completes the handshake with both sides, then proceeds to happily pass the data through reading all of it, since he has the session keys on both sides.

You've skipped over the PFS key exchange portion used in TLS.

https://en.wikipedia.org/wiki/...
https://en.wikipedia.org/wiki/...
https://en.wikipedia.org/wiki/...

Maybe the MITM exploit you're talking about is possible, I don't know.

Comment Re:If GNUTls is unneeded, then create a NO-OP libr (Score 1) 144

No, but I understand why you'd think this, as it seems to be a common misconception. If you have a specific example to illustrate this case, that would help.

MITM attack.

That's not a specific example related to TLS or encryption, it's a vague attack classification. The reason I'm asking the question is to find out if there is an actual issue, and so a vague answer like this cannot help our understanding any.

Oh well. OpenSSL apparently has a vulnerability too. sigh :-/

Comment Re:If GNUTls is unneeded, then create a NO-OP libr (Score 1) 144

And the reason I think that's true is that one isn't required to purchase a CA-signed certificate to get that working. If we all had to purchase a CA-signed certificate, I think it would become more rare to see TLS transfers to/from privately-held servers.

I think you're arguing that would be a bad thing, but in reality it'd be a nearly-irrelevant thing.

No. The word "reality" doesn't apply here, because what you're describing isn't what's being actually done for SMTP.

Without authentication, encryption protects only against the most casual of snoopers, most of whom wouldn't be able to sniff the packets anyway.

No, but I understand why you'd think this, as it seems to be a common misconception. If you have a specific example to illustrate this case, that would help.

Comment Re:If GNUTls is unneeded, then create a NO-OP libr (Score 1) 144

If what you say is true (and it probably is) then the state of e-mail security is even worse than I thought it was. Most mail providers don't support TLS anyway, but without authentication it doesn't really matter if they do.

Actually it's quite common for email providers to support TLS transfers today. And the reason I think that's true is that one isn't required to purchase a CA-signed certificate to get that working. If we all had to purchase a CA-signed certificate, I think it would become more rare to see TLS transfers to/from privately-held servers.

If you look at the mail headers for email you receive, you're likely to find "smtps" or "esmtps" in the Received: lines which indicates that it was sent via a TLS transfer. Most mailing list traffic is often done without TLS, though there are exceptions -- Debian's mailing lists still use TLS transfers, which is good.

Comment Re:Wow, that made it seem 10 times worse, thanks! (Score 1) 144

So tell me, why cant we have the parts we know are insecure issue a log each time they are run?

I understand what you're trying to get at; you'd like to have a log of the failure. However unfortunately that wouldn't tell you what you needed to know in this case; if you did have logging on this, the result you'd get would be "client authenticated" even though it was possible that the authentication actually didn't succeed. :-(

The unfortunate truth is that software bugs happen, and bugs that report success are harder to find than bugs that cause a failure.

Comment Re:If GNUTls is unneeded, then create a NO-OP libr (Score 1) 144

There are several places in which GnuTLS is used for encryption but not authentication such as MTA (email) transfers over TLS (at least most of the time).

Huh? Even for SSMTP, certificates can -- and must! -- be checked.

I think you mean ESMTPS. And no, usually TLS certificates are not checked by default (they can be, optionally); many TLS certificates used for ESMTPS are not signed by a CA, so there's nothing to check them against. There's also a new DANE protocol where domains that are using DNSSEC can specify TLS certificate details for mail in the DNS record for the domain, but this is currently not popular (supposedly only about 20 domains are using it). Other issues with this are that a number of DNS servers haven't implemented DNSSEC, and a number of MTAs haven't implemented the DANE protocol either.

And we don't want the situation where mail domains have to have thier TLS certificate signed by a CA, because that gets back into the mess of "which CAs are trustworthy" for mail purposes, paying fees for SSL certificate signatures, and so on. It's better to at least have encrypted email transfers than to only allow encrypted transfers from authenticated senders.

Comment Re:If GNUTls is unneeded, then create a NO-OP libr (Score 5, Informative) 144

Create a library with that name that does nothing, or logs errors for any entry points. Why is something being shipped that is insecure. I understand that the builds have to be changed. But the library could be replaced with a skeleton right now, can't it?
And maybe we would see that its not quite as in-active as people think.

There are two distinct part of SSL/TLS; encryption and authentication. In this case it's only the authentication portion that has an issue, not the encryption portion. There are several places in which GnuTLS is used for encryption but not authentication such as MTA (email) transfers over TLS (at least most of the time).

As for why GnuTLS exists, AFAIK it's mainly because of licensing issues -- compiling a GPLv2+ program against OpenSSL gets into licensing troubles, so there needed to be a GPL compatible alternative.

Comment Re:Old news (Score 2) 144

Most Linux distributions use OpenSSL for TLS. Even if a program links to GnuTLS, it may not use GnuTLS for certificate validation, and if it doesn't, then it's not affected by this bug (one example is Google Chrome). It's not like iOS where everything is required (by App Store rules) to use SecureTransport.

Another (non-issue) example is MTA (email) transfers; typically on Linux systems MTAs such as Exim use GnuTLS for TLS transfers, but purposely don't do certificate verification (but can be specifically configured to do so).

This is still a serious security issue for anything that does use GnuTLS for certificate verification of course, but off the top of my head I don't have a specific example of where this is done on the Linux platform. [There probably is an example to be found somewhere though.]

Comment Re:Higher potency? (Score 1) 294

Damn, that doesn't sound like much fun. Sorry you had to go through that. :(

No, definitely wasn't.

Thankfully I'm okay and I don't think I'm worse for wear. For a time I was worried that I might have gotten brain damage from it (I know a couple of people that got brain damage from high fevers), but after this happened I went back to college and was able to complete a masters degree in electrical engineering with a high GPA, so I think I'm fine. ;-)

Comment Re:Higher potency? (Score 1) 294

Thanks for the warning. I don't take it often enough to probably hit that. The ibuprofen dose is only 200mg, which is one OTC pill.

I pretty much take maybe 1 or 2 a week at most as needed, but they keep me out of the hospital or urgent care place so it's worth it.

(Annoys me that pain pills are hard to get for people who really need them because some people abuse them...)

I believe I was taking 2 200 mg pills every 6 hours for a full week straight. (Even if I had to get up in the middle of the night if necessary to take another 2 pills.) Unfortunately that's what it required to make the unbearable headache pain subside. I tried only taking 1 pill, that wouldn't cut it. I've never experienced a headache like that before or since.

Heat stroke also messes up your electrolytes too, so I had to eat bananas nuts and sports drinks for several days, during which everything tasted like metal until I got the electrolytes back. And during that time my face was still drooping from palsy, so drinking without spilling it out of my mouth onto my shirt was a challenge. I can look back on it now and laugh a bit, but at the time it was frightening. Also couldn't whistle, drinking from a straw was extremely difficult too because one side of my mouth couldn't close.

If you're only taking an Ibuprofin here and there I'm sure you won't run into what I did. ;-)

Comment Re:Higher potency? (Score 1) 294

I take Vicoprofen (for migraine pain). It's mixed with Ibuprofen instead of Tylenol. It still makes me sick all day after taking it. No idea why people abuse it.

For me it comes down to a choice between being in horrible agony all day or having no pain but stuck in bed feeling dizzy and like shit all day. I'll take that over the pain.

Now there may be some anti-nausea I can take to counteract some of the negative affects, but I haven't asked my doctor about that because the effects now ensure I won't abuse it and I don't want to know otherwise I guess.

I ended up having temporary facial palsy (i.e. half my face drooped and didn't work) after taking Ibuprofin for a week for severe headache pain related to heat stroke. I also felt dizzy and sick while taking the Ibuprofin, but the headache pain without meds was unbearable. After the headache pain from effects of heat stroke passed I was able to stop taking Ibuprofin, and a week later the facal palsy went away. I can't know for sure that the Ibuprofin caused the palsy, but some number of people that take Ibuprofin report having palsy from it.

The nastiest thing about the facial palsy was that on the side of my face that had the palsy the eyelid didn't "auto-blink" anymore, so the eye would get dry. It was especially noticable on long drives. To wet the eye I would have to consciously close both eyes at once -- for whatever reason that still worked. It's a bit mentally draining to have to constantly remember to close both eyes to wet them.

Hopefully you'll never run into this problem.

Comment Re:"promised big changes" (Score 1) 143

...

I personally have run Arch+KDE4 for the past few years and have loved it. Why? Because it works for ME, and I can customize, adjust, etc. things just the way I want them, which is very likely unique to my needs and probably wouldn't be great for someone else to use. But that's the beauty of running Linux on the desktop, you can configure the 'appliance' for your specific need rather than be confined to what someone else thinks is the best way to run a GUI.

I'm mainly a Debian user, I'm also running Arch (in a VM, for Desktop use, with LUKS/cryptfs) and I'm very pleased with what I find with it so far. However one thing I do notice is that for Daemons, Arch upgrades seem to create ".pacnew" configuration files that sit alongside the original configuration files and outputting a warning, somewhat similar to how RPMs upgrade with ".rpmnew" files. I don't particularly like that -- I much prefer the prompts for administrator input that the APT/dpkg system brings up when .deb packages are upgraded that have user-modified configuration files. It's way too easy to miss the text warning that flies by on the screen saying there's a ".pacnew" file somewhere during a "pacman -Syu" upgrade.

Comment Check if their MTA supports SMTP over TLS (Score 1) 399

I've yet to deal with an organization that has a GPG/PGP key for encrypting email to the organization. I don't think there's anything wrong with asking if they have one for encrypted email use, and so I think it's fine if you go ahead and do so, but I also don't expect that they have one.

What is more common is for the email MTA to support SMTP over TLS encrypted transfers. This can be verified using 'swaks' by testing each of the company's email servers listed in DNS one by one.

Finding the mail servers that cover a domain, for instance "nonsense.com":

$dig nonsense.com mx +short
10 nullmx.nonsense.com.

$swaks --ehlo testing.example.com --server nullmx.nonsense.com --tls -q TLS
=== Trying nullmx.nonsense.com:25...
=== Connected to nullmx.nonsense.com.
    220 mx ESMTP
        EHLO testing.example.com
    250-mx
    250-PIPELINING
    250-SIZE
    250 8BITMIME
*** Host did not advertise STARTTLS
    QUIT
    221 mx
=== Connection closed with remote host.

If the company email MTAs all DO support SMTPS, then perhaps that will be good enough. Even if the company did support GPG, there are certain things such as the Subject for the email which don't get encrypted, so SMTPS is important for those reasons anyway.

Comment Re:It could easily be focused (Score 4, Interesting) 609

Like everyone else, I have no idea what they're doing, but no, it doesn't rule out focused surveillance.

What's being acquired as evidence is very wide, and the NSA is famous for both large data storage and building a database of interpersonal connections. Regardless if the particular reason this information is being gathered, I'm working under the assumption that they're going to be using the information in whatever way they can, rather than for the original reason they're taking the data.

I find it really concerning that a secret court can order such wide data transfer to the NSA, and also order that the order be kept secret.

Slashdot Top Deals

Computer Science is merely the post-Turing decline in formal systems theory.

Working...