DROWN attack
Comments
-
This is off topic but another SSL/TLS vuln has been discovered. And we are supposed to believe that Apple can keep things secure so it never escapes!
0 -
@wkleem: That is a bit off topic, so I've split this off into a separate discussion. However, I think that's a great question that does relate somewhat to the question of Apple security.
Now, technically these are pretty different: in the case of Touch ID, the secure enclave is implemented in hardware and is not programmable. It would have to be tested extensively both before, during, and after production, since a hardware bug is irrevocable. And given that what it does is fairly simple (hashing and storing data), it would be surprising for any issues to be found only after many years.
On the other hand, SSL/TLS support is implemented in software, and has become increasingly complex over the years. In addition to that, companies often implement it themselves (or modify open source implementations), which gives rise to other issues we've seen over the years. But of course a security bug in a reference implementation that many software packages (OS, browser, server, etc.) are based on is how we end up with problems like this (and Heartbleed).
0 -
Hi
Will the Agilebits Watchtower be updated for the new DROWN attack? At this point, I have to wonder what's left of SSL/TLS that isn't vulnerable?
0 -
Hmm. Good question! Watchtower is geared more toward website breaches (password database dumps, etc.) but it's certainly something we can consider adding. Thanks for bringing this up! :)
0 -
Thanks Brent.
0 -
Any time! :pirate: :+1:
0 -
Looking forward to improvements in 1Password's vulnerability reporting. In other news, Adobe Flash was hit again with more vulns :(
0 -
I'll be honest, I stopped reading about Flash vulnerabilities after uninstalling from all my machines it a while back. It was just a liability. When I do run into something that requires Flash, Chrome is my sandbox. I just make sure it's up to date beforehand and I'm good to go. And it isn't often that it even comes up. Almost everything is HTML5 nowadays. :sunglasses:
0 -
I would be careful about Chrome, not least because it never actually deletes old installations in Windows.
http://www.ghacks.net/2011/02/14/free-up-disk-space-by-deleting-older-google-chrome-versions/
0 -
@bwoodruff, those folders are hidden by default and would have to be made visible to be seen.
0 -
@bwoodruff, your team might want to check Chrome installations on both Macs and Windows PCs for this hidden bloat.
0 -
If you just mean in general, that we ourselves should check for this on our own installations, then yes, thanks for the heads up. :+1:
You're welcome. It wouldn't hurt to check.I have not come across this issue on Chrome 64bit however. YMMV.
0 -
While I'm not super concerned since that doesn't impact security, that's good to know! Thanks for the info! I don't think I have any 32-bit copies of Chrome hanging around still, but as you pointed out, one never knows! :dizzy:
Edit: It seems like I've only got the current and previous version on my PCs, which seems to mesh with the writer's findings as well:
Update: Only the two most recent versions of Chrome are kept as of today. It is unclear if what I experienced was a bug or if Google modified the process.
Weird.
0
