Category: Rants
Nothing to See Here
Following Apple’s SSL patch (in which they said to switch to TLS), GNUTLS patched a similar bypass of certificate checking..
via: Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
Everything is Good Here
static OSStatus SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen) { OSStatus err; ... if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; ... fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); return err; }
The duplicate ‘goto fail;’ line above will always pass the SHA1 signature check as valid, no matter what. Nice little programming error, there, Apple. Affects iOS since at least 7.0.4, and a fix was just released. MITM anyone? o_O
via: Apple’s SSL/TLS bug
To Whom It May Concern
Disclaimer:
By sending an email to ANY of my addresses you are agreeing that:
- I am by definition, “the intended recipient”
- All information in the email is mine to do with as I see fit and make such financial profit, political mileage, or good joke as it lends itself to. In particular, I may quote it on usenet.
- I may take the contents as representing the views of your company.
- This overrides any disclaimer or statement of confidentiality that may be included on your message.
(words via John Sullivan)
MacReport.Net Media Publishing, Inc. <- IDIOTS..
Public notice to the idiots at MacReport.Net Media Publishing, Inc.:
For over a year, various morons at your organization have been sending email to my gmail.com address. Repeated replies requesting that the senders completely remove my email address from your organization’s contact lists have failed. Various forms of assuredly private information including profit/loss statements, merchandise invoice information, requests for payroll adjustments, insurance bills and quotes – stuff that I’m sure would be unfortunate to have publicly known – have been repeatedly sent to me.. This is my last reply in an attempt to address your incapacity to figure out who the hell you are sending email to. Today, I received two more emails from Patricia A. Phillips, so this is it..
If you cannot figure out how to manage your email and I receive future messages from your organization, I will simply publish each and every message, past and present, in a conspicuous place such as reddit.com for feedback from the public.
Thanks.