" ... In other words, the JSSE implementation of TLS has been providing virtually no security guarantee (no authentication, no integrity, no confidentiality) for the past several years. "
FREAK: Factoring RSA Export Keys,
http://blog.cryptographyengineering.com ... g-nsa.html
"server impersonation exploits against several mainstream browsers (including Safari and OpenSSL-based browsers on Android)" ,
Vulnerable TLS client libraries include
OpenSSL (CVE-2015-0204): versions before 1.0.1k are vulnerable.
BoringSSL: versions before Nov 10, 2014 are vulnerable.
LibReSSL: versions before 2.1.2 are vulnerable.
SecureTransport: is vulnerable. A fix is being tested.
SChannel: is vulnerable. See the security advisory. A fix is being tested.
Mono: versions before 3.12.1 are vulnerable.
IBM JSSE: is vulnerable. A fix is being tested.
Other disclosure pending
Web browsers that use the above TLS libraries are vulnerable, including:
Chrome: versions before 41 on various platforms are vulnerable. Update to Chrome 41
Internet Explorer: is vulnerable. Wait for a patch and see the security advisory.
Safari: is vulnerable. Wait for a patch.
Android Browser: is vulnerable. Switch to Chrome 41.
Blackberry Browser: is vulnerable. Wait for a patch.
Opera: on Mac and Android is vulnerable. Update to Opera 28 (when stable).
Other client applications (such as email) that use vulnerable TLS libraries may also be vulnerable.
Please reproduce your error on a second machine before posting, and check the error by running without saved changes or extra modules (See FAQ No. 13, "How to report a bug"). For unstable Porteus versions (alpha, beta, rc) please use the relevant thread in our "Development" section.
1 post • Page 1 of 1