Coding Practice [was Re: Serious OpenSSL vulnerability]
Bruno Wolff III
bruno at wolff.to
Sat Apr 26 23:35:09 UTC 2014
On Sat, Apr 26, 2014 at 22:19:47 +0200,
Frantisek Hanzlik <franta at hanzlici.cz> wrote:
>
>I'm not SSL/TLS guru and I'm not in-deep study heartbeat OpenSSL bug
>(mainly because I consider Fedora 15+ as too problematic and stay at
>F14 with eventual migration to CentOS 6 on my servers, thus they aren't
>affected with this bug), but - it is truth, that when private key is
>stealed, this _always_ implied, that encrypted traffic may be read
>with private key knowledge? As I know, when e.g. Diffie-Hellman key
>exchanging is used, then either private key knowledge isn't sufficient
>to decode network traffic. Of course, TLS RFCs give us some basic set
>of mandatory ciphersuites which should know every TLS endpoint, and
>there are also these, where private key knowledge is sufficient for
>traffic decoding. But when at my side I allow e.g. (contrary to RFCs)
>only DH ciphersuites, then maybe either I'm not able establish a
>connection, or my connection is reliable - although connection is
>tapped by someone, who keep my private key. Or am I wrong?
If you have the private key and can redirect network traffic you can
do man in the middle attacks. If forward security isn't being provided
then just being able to see the traffic can allow you to get session
keys.
Depending on what you don't like about current Fedoras, you might try
out the XFCE or Mate desktops. They provide an experience similar
to Gnome 2. If you have an old graphics card, you will want to use
kdm or lxdm instead of gdm.
More information about the users
mailing list