Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ
Ξ We've updated our CA certificate. All members need to be using the latest ones by Dec 22. See this page for more infoΞ

OpenSSL update, network-wide, to version 1.0.1i

Looking for a bit more than customer support, and want to learn more about what cryptostorm is , what we've been announcing lately, and how the cryptostorm network makes the magic? This is a great place to start, so make yourself at home!
User avatar

Topic Author
cryptostorm_admin
ForumHelper
Posts: 74
Joined: Tue Jan 01, 2013 5:43 pm
Contact:

OpenSSL update, network-wide, to version 1.0.1i

Postby cryptostorm_admin » Wed Aug 20, 2014 4:47 am

We wanted to let the member community know that on August 8th we completed upgrading all of the nodes across the cryptostorm network to OpenSSL version 1.0.1i. Version "i" was released to full public distribution on the sixth, and it patches up a handful of newly-identified bugs, hiccups, and sub-optimal implementations within the OpenSSL framework.

If you're curious to read the full official release announcement from the OpenSSL team it's available here (.txt document). Rather than replicate all the details in this post, it's probably best to simply point curious folks to the full advisory notification.

Our editorial perspective on this "i" release by the OpenSSL team is threefold:

    First, most of the patched bugs appear to be relatively moderate, and look to involve potential denial-of-service or forced-crash attacks that can be accomplished by throwing various malformed protocol parameters back and forth during or prior to secure session initiation. It's good to see these patched, even though none seem life & death on the surface.

    Second, the one patched vuln that seems most noteworthy to us is CVE-2014-3511, titled as "OpenSSL TLS protocol downgrade attack." These kinds of downgrade attacks are widespread and can be deadly effective, in particular in assisting in successful man in the middle (MiTM) attacks. We require current OpenSSL libraries in order to initiate cryptostorm sessions with clients, and we don't allow below-current TLS versions to be used in network sessions exactly because of the presence of so many effective downgrade-based attack vectors. So, this particular attack wouldn't work against cryptostorm network sessions (prior to the "i" version patch), but we're still glad to see it patched since many 'naive' security services do not force current protocol adherence & thus are vulnerable to these attack categories. Because many people (wrongly) think of downgrade attacks as not 'sexy,' they don't get as much attention as (for example) Heartbleed. This is unfortunate; it's good to see that changing, nowadays.

    third, we note that Google has submitted a majority of the vulns that were patched during this OpenSSL update cycle, as well as several of the patches (src) themselves. Good on Google! More specifically, we see that the inestimable Adam Langley, who currently calls Google home, is firsthand involved in a number of these vulns & submitted himself several of the patches as well. Adam is a treasured resource within the cryptographic community, not just for his deep elliptical curve expertise but for his overall knowledge set and notable willingness to share that knowledge widely with the larger community. Seeing Adam's fingerprints on these current OpenSSL patches is a truly heartening sign of positive changes, post-Heartbleed, in the depth of support provided to the OpenSSL project by not only the broad crypto community, but also by companies like Google and credentialled wise ones like Adam. So, in a word: hooray! :-)

That's about it for this patch. Folks running *nix systems client-side might want to bring their OpenSSL versions current via whatever appropriate distro procedures are applicable (yum, apt-get, etc.). Some distros will handle this automatically, but it's worth double-checking to be sure.

Cheers,

    ~ cryptostorm_admin
cryptostorm_admin - a mostly-shared, admin team forum account (sort of a person, but also shared)
PLEASE DON'T SEND PRIVATE MESSAGES to this account, as we can't guarantee quick replies!
--> feel free to use any of our other contact channels, or post in the support forum
cryptostorm: structurally anonymous, token-based, unlimited ☂ bandwidth, opensource, darknet data security for everyone!
keybase.io validatorsonename.io validatorsPGP key @ MITnetwork statuscryptostorm github
support team bitmessage address: BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ
support team email: support@cryptostorm.is
live chat support: #cryptostorm

User avatar

jlg
Posts: 92
Joined: Mon May 05, 2014 2:44 am

Re: OpenSSL update, network-wide, to version 1.0.1i

Postby jlg » Fri Sep 19, 2014 2:57 pm

cryptostorm_admin wrote:We wanted to let the member community know that on August 8th we completed upgrading all of the nodes across the cryptostorm network to OpenSSL version 1.0.1i. Version "i" was released to full public distribution on the sixth, and it patches up a handful of newly-identified bugs, hiccups, and sub-optimal implementations within the OpenSSL framework.

If you're curious to read the full official release announcement from the OpenSSL team it's available here (.txt document). Rather than replicate all the details in this post, it's probably best to simply point curious folks to the full advisory notification.

Our editorial perspective on this "i" release by the OpenSSL team is threefold:

    First, most of the patched bugs appear to be relatively moderate, and look to involve potential denial-of-service or forced-crash attacks that can be accomplished by throwing various malformed protocol parameters back and forth during or prior to secure session initiation. It's good to see these patched, even though none seem life & death on the surface.

    Second, the one patched vuln that seems most noteworthy to us is CVE-2014-3511, titled as "OpenSSL TLS protocol downgrade attack." These kinds of downgrade attacks are widespread and can be deadly effective, in particular in assisting in successful man in the middle (MiTM) attacks. We require current OpenSSL libraries in order to initiate cryptostorm sessions with clients, and we don't allow below-current TLS versions to be used in network sessions exactly because of the presence of so many effective downgrade-based attack vectors. So, this particular attack wouldn't work against cryptostorm network sessions (prior to the "i" version patch), but we're still glad to see it patched since many 'naive' security services do not force current protocol adherence & thus are vulnerable to these attack categories. Because many people (wrongly) think of downgrade attacks as not 'sexy,' they don't get as much attention as (for example) Heartbleed. This is unfortunate; it's good to see that changing, nowadays.

    third, we note that Google has submitted a majority of the vulns that were patched during this OpenSSL update cycle, as well as several of the patches (src) themselves. Good on Google! More specifically, we see that the inestimable Adam Langley, who currently calls Google home, is firsthand involved in a number of these vulns & submitted himself several of the patches as well. Adam is a treasured resource within the cryptographic community, not just for his deep elliptical curve expertise but for his overall knowledge set and notable willingness to share that knowledge widely with the larger community. Seeing Adam's fingerprints on these current OpenSSL patches is a truly heartening sign of positive changes, post-Heartbleed, in the depth of support provided to the OpenSSL project by not only the broad crypto community, but also by companies like Google and credentialled wise ones like Adam. So, in a word: hooray! :-)

That's about it for this patch. Folks running *nix systems client-side might want to bring their OpenSSL versions current via whatever appropriate distro procedures are applicable (yum, apt-get, etc.). Some distros will handle this automatically, but it's worth double-checking to be sure.

Cheers,

    ~ cryptostorm_admin


Thanks for the infos and the update. Interesting to note.

--Privat


Return to “cryptostorm in-depth: announcements, how it works, what it is”

Who is online

Users browsing this forum: No registered users and 7 guests

Login