[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DNSSEC?
On 4/11/2014 5:47 PM, Matt Palmer wrote:
> That's not DNSSEC that's broken, then. - Matt
You're correct about that, but everything depends on your level of
paranoia.
The bug has a potential to show 64k of memory that may or may not be a
part of the TLS/SSL connection*. In that 64k their may be ssh keys,
dnssec keys, pictures of cats, or anything else that needs to be safely
protected. If something is very important to keep secure and it was on
a box that has a TLS/SSL connection then you should regenerate keys for
it, but largely this effort would be just in case and not because it's
compromised.
* technically it is part of the connection, it's just malloc() and not
zeroed so whatever data was in it before was not cleared. If you can be
sure all your cat picture applications zero memory on exit and none of
them exited uncleanly then this isn't a problem. At high levels of
paranoia this isn't really something that you can be sure of though.
I'm not even sure if it's done in most crypto apps aside from gpg.
OpenSSL is double-faulted here for both not checking the length and not
zeroing the memory on malloc**.
** probably making this all up since I haven't done a real look at the
library, I'm just going by what I've read on the internet.
I expect we may see more bugs revealed in openssl soon. It's getting
lots of scrutiny from this so I expect the code is being audit by
everyone and that's good.
- Follow-Ups:
- DNSSEC?
- From: marka at isc.org (Mark Andrews)
- DNSSEC?
- From: mysidia at gmail.com (Jimmy Hess)
- References:
- DNSSEC?
- From: bzs at world.std.com (Barry Shein)
- DNSSEC?
- From: cma at cmadams.net (Chris Adams)
- DNSSEC?
- From: cabo at tzi.org (Carsten Bormann)
- DNSSEC?
- From: mpalmer at hezmatt.org (Matt Palmer)