
What's with SSL on the luv.asn.au website? The login form doesn't have SSL, which means you can't be sure that someone isn't sniffing your credentials, and also the credentials are going over the wire plaintext. And then when you go to the "my account" area, you do get redirected to SSL but the certificate expired 2 years ago. James

¬_¬ Undisclosed important OpenSSL updates expected today. Any thing to do with that?

On 09/07/15 22:20, Scott Junner wrote:
Undisclosed important OpenSSL updates expected today. Any thing to do with that?
Not undisclosed: https://thejh.net/written-stuff/openssh-6.8-xsecurity Hope that helps, Andrew

On 09/07/15 22:57, Andrew Pam wrote:
On 09/07/15 22:20, Scott Junner wrote:
Undisclosed important OpenSSL updates expected today. Any thing to do with that? Not undisclosed: https://thejh.net/written-stuff/openssh-6.8-xsecurity
I believe Scott's joke was referring to CVE-2015-1793 reported two weeks ago, and just announced and patched today. This SSL issue allows an attacker (or a site) to "cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate." https://www.openssl.org/news/secadv_20150709.txt It only affects the most recent OpenSSL versions (1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o). Glenn -- sks-keyservers.net 0x6d656d65
participants (4)
-
Andrew Pam
-
Glenn McIntosh
-
James Harper
-
Scott Junner