[kwlug-disc] More openSSL issues

[Bob Jonkman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Looks like OpenSSL is finally getting the many eyes needed to make its
bugs shallow.  But I wish the BSD folks wouldn't use such unkind words
to describe the OpenSSL problems...


The other vulnerability we were discussing is the OAuth/OpenID one.
This is what I read:

 [1]
http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/

but (one of) the report(s) of the flaw is here:

 [2]
http://homakov.blogspot.co.uk/2013/02/hacking-facebook-with-oauth2-and-chrome.html


On the other hand, there are claims of "security reporting farce":

 [3] https://www.tbray.org/ongoing/When/201x/2014/05/03/Security-Farce

It's worthwhile to click through the links in article [3]:

 [4] http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html

 [5]
http://www.tetraph.com/blog/2014/05/hack-facebook-account-based-oauth-2-0-covert-redirect-vulnerability-information-leakage-url-redirect-%E6%94%BB%E5%87%BB%E8%84%B8%E4%B9%A6-%E5%9F%BA%E4%BA%8E-oauth-2-0-%E6%BC%8F%E6%B4%9E/

 [6] http://alexbilbie.com/2013/02/facebooks-oauth-problem/

 [7]
http://www.thread-safe.com/2014/05/covert-redirect-and-its-real-impact-on.html

To be honest, while [2] may describe a real vulnerability, the
complicated steps needed to invoke it ("open 25 windows in your
browser...") require a deliberate effort to expose yourself to it. No
wonder the big OAuth providers aren't doing anything about it.  And
[6] indicates that it's an implementation flaw, from lack of parameter
validation.

So, for the moment, I'm not going to worry about this one.

- --Bob.


On 14-05-06 10:16 AM, CrankyOldBugger wrote:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Ensure confidentiality, authenticity, non-repudiability
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlNpHPIACgkQuRKJsNLM5erpBQCaA88RWHC5xYt45Dp0gfVY+rZw
OMYAoNtDhXC9E6kh+gct6XZvfzPX8xZn
=i8da
-----END PGP SIGNATURE-----