[kwlug-disc] More openSSL issues
Bob Jonkman
bjonkman at sobac.com
Tue May 6 13:33:40 EDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Looks like OpenSSL is finally getting the many eyes needed to make its
bugs shallow. But I wish the BSD folks wouldn't use such unkind words
to describe the OpenSSL problems...
The other vulnerability we were discussing is the OAuth/OpenID one.
This is what I read:
[1]
http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/
but (one of) the report(s) of the flaw is here:
[2]
http://homakov.blogspot.co.uk/2013/02/hacking-facebook-with-oauth2-and-chrome.html
On the other hand, there are claims of "security reporting farce":
[3] https://www.tbray.org/ongoing/When/201x/2014/05/03/Security-Farce
It's worthwhile to click through the links in article [3]:
[4] http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html
[5]
http://www.tetraph.com/blog/2014/05/hack-facebook-account-based-oauth-2-0-covert-redirect-vulnerability-information-leakage-url-redirect-%E6%94%BB%E5%87%BB%E8%84%B8%E4%B9%A6-%E5%9F%BA%E4%BA%8E-oauth-2-0-%E6%BC%8F%E6%B4%9E/
[6] http://alexbilbie.com/2013/02/facebooks-oauth-problem/
[7]
http://www.thread-safe.com/2014/05/covert-redirect-and-its-real-impact-on.html
To be honest, while [2] may describe a real vulnerability, the
complicated steps needed to invoke it ("open 25 windows in your
browser...") require a deliberate effort to expose yourself to it. No
wonder the big OAuth providers aren't doing anything about it. And
[6] indicates that it's an implementation flaw, from lack of parameter
validation.
So, for the moment, I'm not going to worry about this one.
- --Bob.
On 14-05-06 10:16 AM, CrankyOldBugger wrote:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Ensure confidentiality, authenticity, non-repudiability
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlNpHPIACgkQuRKJsNLM5erpBQCaA88RWHC5xYt45Dp0gfVY+rZw
OMYAoNtDhXC9E6kh+gct6XZvfzPX8xZn
=i8da
-----END PGP SIGNATURE-----
More information about the kwlug-disc
mailing list