Page 5 of 5 « First 34 5
Reply
Thread Tools
juhanima is offline juhanima
2011-09-24 , 19:23
Posts: 11 | Thanked: 85 times | Joined on Jan 2010 @ Helsinki
#41
OK, the blacklisting of compromised DigiNotar CAs and stolen Comodo server certs is in the latest CSSU so the original topic of this thread is now covered. The downside is that the certificates applet now shows the blacklisted certs as trusted roots. They are not, so don't be alarmed, and I think there is a SSU coming from Nokia which will fix also that. The UI fix will also be included in the next CSSU.

Apropos Rizzo's and Duong's new SSL/TLS exploit, may I recommend a summary by the Tor project:

https://blog.torproject.org/blog/tor...ast-ssl-attack

The Tor blog is an excellent source of security related news IMHO. TL;DR the attack is not really revolutionary but a very serious matter anyhow.

Still, it doesn't exactly mean that SSL /TLS <= 1.0 is totally broken. It means that by some considerable effort an attacker in a MITM position can decrypt such data that is added in every packet sent to a SSL/TLS site at a known position, i.e. a session cookie. And only if the cipher uses CBC (SSL 3.0 supports some 30 different ciphers, both block and stream ciphers, and only block ciphers can use CBC). For instance Google's servers use stream cipher RC4 which is not vulnerable to this particular attack, although it has its own set of problems. Many other sites too.

While these kinds of news are always disturbing, I personally think that what we are seeing is evolution in progress. A CA turns out to be untrustworthy => the CA gets wiped away. DigiNotar just filed for bankruptcy. A vulnerability is found in a crypto protocol => the protocol is fixed and while waiting for that, an alternative protocol is being used.

But then again, I'm an incurable optimist. Even thinking Maemo could still have some future ahead of her.

JuM
Last edited by juhanima; 2011-09-24 at 20:26.
 

The Following 8 Users Say Thank You to juhanima For This Useful Post:
PMaff's Avatar
PMaff is offline PMaff
2011-11-01 , 17:24
Posts: 361 | Thanked: 219 times | Joined on Sep 2010
#42
Originally Posted by juhanima View Post
Hi, all!

Sorry for being silent so long. I am the maintainer of the maemo-security-certman package which should be updated to fix this problem.

...

Cheers, JuM
Update with PR1.3.1 (21.2011.38-1) went fine today and everything is working fine as before.
Thanks again juhanima.

Edit: there seems to be an issue with A-GPS.
See the link below.

I set the subject line accordingly.
For completeness I also add a link to the other thread about this topic:
http://talk.maemo.org/showthread.php?t=79400
Last edited by PMaff; 2011-11-25 at 14:26. Reason: Added some more information
 
Reply
Page 5 of 5 « First 34 5

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 13:55.

Contact Us - Home - Archive - Top