I See What You Did There

SSLv3 is older than my daughter, but is still supported by all major browsers. The latest crypto bug is a MITM (man in the middle) attack that could allow anyone with a network device (WiFi router) sitting between browser users and the destination SSLv3 server (https “secure” bank site, for instance) to snoop on the connection in plain text.

Links:
SSLv3 server stats and steps to fix your browser
POODLE attack details
#POODLE on twitter

Everything is Good Here

static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
                                 uint8_t *signature, UInt16 signatureLen)
{
        OSStatus        err;
        ...

        if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
                goto fail;
        if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
                goto fail;
                goto fail;
        if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
                goto fail;
        ...

fail:
        SSLFreeBuffer(&signedHashes);
        SSLFreeBuffer(&hashCtx);
        return err;
}

The duplicate ‘goto fail;’ line above will always pass the SHA1 signature check as valid, no matter what. Nice little programming error, there, Apple. Affects iOS since at least 7.0.4, and a fix was just released. MITM anyone? o_O

via: Apple’s SSL/TLS bug

Attending DebConf11 Remotely

I was unable to make the trip to DebConf11 in Banja Luka, Bosnia & Herzegovina, this year, but I will be attending remotely as much as possible. I will update this post throughout the conference with the links to the resources I am using, as well as other notes of interest. I hope that others find this useful.

The Banja Luka timezone is UTC +0200. For me, this is a 7 hour difference from my local time (UTC -0500), so I’ll be spending the next few days attempting to adjust my sleep schedule to try to hit some early talks during the conference 🙂 The local Banja Luka time is listed on the auto-refreshing What’s up! talk schedule page.

Schedule:
What’s up!
Full DebConf11 Talk Schedule on Penta

The DebConf Video Team provides real-time talk feeds that makes remote DebConf attendance possible. Without their amazing work, people that cannot make it to the conference would simply not be able to get much of what the DebConf experience provides. The videos are also archived by the team for viewing after the conference.

Video Feeds:
http://debconf11.debconf.org/watch.xhtml – mash-up of video feeds, schedule, etc.
http://video.debconf.org:8000/Auditorium.ogv – main conference room direct feed
http://video.debconf.org:8000/Roundroom.ogv – secondary conference room direct feed
Video Archives:
http://meetings-archive.debian.net/pub/debian-meetings/

IRC is probably one of the best ways to supplement Debconf talks and provides a way to remotely ask questions during Q&A – someone in the talk audience will usually pick up questions from the room channels and ask on your behalf. The DebConf11 talk room IRC channels are #debconf-auditorium and #debconf-roundroom.

The general DebConf IRC channel is #debconf – there is typically some conference talk discussion here, as well as a helpful schedule announcement bot, DCschedule, but much of the discussion on #debconf will revolve around casual conversation, the search for people, power adapters, games of Mao, and the best local food and pubs 😉

IRC:
server: irc://irc.oftc.net
channels: #debconf – #debconf-auditorium – #debconf-roundroom

The DebConf mailing lists may also provide some interesting conversations that can help the remote attendance experience. The debconf-announce list is very low traffic and debconf-discuss will be where most conversations will take place.

Mailing Lists:
DebConf Mailing Lists (subscribe, etc.)
debconf-announce Archives
debconf-discuss Archives

Other Links:
DebConf identi.ca group