diff --git a/sources/talk/20140607 New OpenSSL breach is no Heartbleed-but needs to be taken seriously.md b/sources/talk/20140607 New OpenSSL breach is no Heartbleed-but needs to be taken seriously.md deleted file mode 100644 index 04a453eb65..0000000000 --- a/sources/talk/20140607 New OpenSSL breach is no Heartbleed-but needs to be taken seriously.md +++ /dev/null @@ -1,59 +0,0 @@ -[translating BY lolipop] -New OpenSSL breach is no Heartbleed, but needs to be taken seriously -================================================================================ -> Summary: While the newest OpenSSL security problems are troubling, and you should address it, it's nothing as bad as Heartbleed. - -It's been a bad week for open-source Secure Socket Layer (SSL) programs. - -First, the obscure, [GnuTLS was revealed to have a trivial][1] but damning flaw. Then, the massively popular OpenSSL was found to have [a man-in-the-middle vulnerability][2]. After the [Heartbleed fiasco][3], OpenSSL needed this like a hole in the head. - -![](http://cdn-static.zdnet.com/i/r/story/70/00/030273/openssl-200x55.png?hash=MwyxMwt0MJ&upscale=1) - -This vulnerability, according to Adam Langley, a senior staff software engineer at Google, has been [around for at least 15 years][4]. It's a pity the Core Infrastructure Initiative (CII) [riding to OpenSSL's rescue with more developer funding][5] didn't happen any sooner than it did. - -That said, this bug is still is nowhere near as bad as Heartbleed. For starters, an attacker needs to be running a system between the web browser or other SSL-enabled client program to make use of the security hole. - -Be that as it may, you still need to address it by upgrading as soon as possible. As Chris Camejo, Director of Assessment Services for [NTT Com Security][6] said in an e-mail interview, "It's bad because it has been around for a long time and looks to be fairly widespread." - -He added: "If exploited it would allow the attacker to decrypt traffic. This is serious given that the whole point of SSL is to encrypt traffic and it is widely used to protect passwords, credit card numbers, and all other manner of sensitive transactions that happen on web sites as well as certain email connections." - -In a separate interview, Mark Cox, Red Hat's senior director of product security, [went into deeper detail][7]. Cox said, OpenSSL has fixed a number of security flaws, but given the Heartbleed episode we needed to find a way to tell people not to panic. - -Cox explained that Heartbleed had been patched before it was revealed but news of the exploit spread before news of the patches, hence so much of the upset around it. In this latest case, there have been seven security issues patched but only two of them need concern administrators and users. - -The first, Cox continued, is the Datagram Transport Layer Security (DTLS) bug. There is no known exploit of it at this time, but there is the potential for a successful attack against it. - -Therefore, while DTLS is not widely used, if you do use it, it should be patched as soon as possible. - -Cox then said the "real meat of the issue is the man-in-the-middle attack." Even here, for this work, someone really must be "in the middle" between a vulnerable server and client to make use of the hole. - -But if someone can do this, they could "bypass SSL and get to the raw data... This is quite a serious issue." - -Still, with Heartbleed anyone could theoretically exploit vulnerable SSL servers. To attack using this hole would require network access to the traffic between the client and server. For example, a successful attack might be made with a fake coffee house Wi-Fi access point being used to connect the Android version of the Chrome Web browser and an unpatched Web server. Fortunately, Google has [already released an updated version of this browser][8], 35.0.1916.141, to eliminate this problem. - -The most vulnerable systems, according to Cox, are unpatched Android devices using a bogus Wi-Fi hot spot. Morrell added that since Android users are at the mercy of their phone vendors and telcos for security updates they may be stuck with vulnerabilities for quite a long time. - -Fortunately, if the servers they connect with have been updated, they still can't be attacked. - -The OpenSSL security community has known about this problem since early May. The group, working with Red Hat, other major Linux and open-source groups, and hardware vendors, went to a great deal of trouble to not simply patch the bug but to take the next steps of testing the repair, so that they could be as certain (as anyone can ever be in security) that it would fix the hole, but also not introduce any new security problems, and work with most combinations of OpenSSL servers and clients. - -Now that the patch is out there, OpenSSL is trying to get the solid facts, as well as the patch, out to people so there won't be any undue panic over these problems. Cox added that the major Linux vendors, such as Red Hat and Ubuntu, already have the patches available. - -All server administrators need do is to download and install them and instead of a security crisis this will prove to be business as usual. - --------------------------------------------------------------------------------- - -via: http://www.zdnet.com/new-openssl-breech-is-no-heartbleed-but-needs-to-be-taken-seriously-7000030273/ - -译者:[译者ID](https://github.com/译者ID) 校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出 - -[1]:http://www.zdnet.com/another-serious-gnutls-bug-exposes-linux-clients-to-server-attacks-7000030205 -[2]:http://www.zdnet.com/openssl-fixes-another-severe-vulnerability-7000030253/ -[3]:http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-7000028166 -[4]:https://www.imperialviolet.org/2014/06/05/earlyccs.html -[5]:http://www.zdnet.com/corporations-put-their-cash-where-their-open-source-security-is-7000030023/ -[6]:http://www.nttcomsecurity.com/us/ -[7]:http://ec.libsyn.com/p/6/a/5/6a58036510bae37c/CloudEvangelistPodcast_Ep92_MarkCox.mp3?d13a76d516d9dec20c3d276ce028ed5089ab1ce3dae902ea1d06c88537d1ce596fdc&c_id=7251647) -[8]:http://googlechromereleases.blogspot.com/2014/06/chrome-for-android-update.html \ No newline at end of file diff --git a/translated/talk/20140607 New OpenSSL breach is no Heartbleed-but needs to be taken seriously.md b/translated/talk/20140607 New OpenSSL breach is no Heartbleed-but needs to be taken seriously.md new file mode 100644 index 0000000000..6575ad600c --- /dev/null +++ b/translated/talk/20140607 New OpenSSL breach is no Heartbleed-but needs to be taken seriously.md @@ -0,0 +1,58 @@ +新的OpenSSL分支未包含Heartbleed漏洞,但需要认证看待 +================================================================================ +> 摘要:当被最新的OpenSSL安全问题困扰时,你最好解决它,虽然它并不像Heartbleed那样糟糕。 + +这一周对于开源团队Secure Socket Layer (SSL)的程序员们来说真是糟糕的一周。 + +首先,[GnuTLS][1]晦涩的表明,存在一个不太重要可很糟糕的缺陷。然后,大范围流行的OpenSSL被发现包含一个[中间人漏洞][2]。在[Heartbleed漏洞][3]惨剧后,OpenSSL需要这个来给自己醒醒脑。 + +![](http://cdn-static.zdnet.com/i/r/story/70/00/030273/openssl-200x55.png?hash=MwyxMwt0MJ&upscale=1) + +这个漏洞,根据谷歌高级软件工程师Adam Langley描述,已经[至少存在了15年时间][4]。可惜Core Infrastructure Initiative(CII)领导下的OpenSSL的修补人员获得了[更多的资金][5],却没能更早的修复他。 + +也就是说这个漏洞依然是和Heartbleed漏洞一样糟糕。对于一些新手,攻击者需要在浏览器和启用了SSL客户端的程序之间来利用这个安全漏洞。 + +尽管它可能被利用,你依然需要尽可能快的通过升级来解决这个漏洞。就像[NTT Com Security][6]的评估服务负责人Chris Camejo在邮件会议里说的,“它很糟糕因为已经存在了这么长的时间,看起来传播范围相当广泛。” + +他补充到:“如果利用它,将使攻击者解密流量。从SSL的设计目的看,这是一个很严重的问题,同时SSL被用来保护很多的密码,信用卡卡号和其他的和网站类似的敏感数据的email连接。” + +在一次单独采访中,Red Hat的产品安全高级负责人Mark Cox详细深入地介绍了[细节][7]。Cox说,OpenSSL已修正了一些安全缺陷,但鉴于我们需要想办法告诉人们不要因为Heartbleed而陷入恐慌。 + +Cox解释说,Heartbleed漏洞在公布之前得到了修补,但利用此漏洞的消息在修补程序之前传开,因此在这个问题上有那么多的抱怨。最新的情况,已有七个安全问题得到了修补,但其中只有两项需要管理员和用户的关注。 + +第一,Cox继续说道,是数据报传输层安全 (DTLS)的bug。到目前为止,还没有已知的攻击,但是存在针对它攻击成功的潜在性。 + +因此,虽然DTLS使用不广泛,如果您确实在使用它,它应尽快修补。 + +Cox然后说,"这个问题的实际上是中间人攻击"。甚至在此,为这项工作,真的有人必须是"在中间的",来利用易受攻击的服务器和客户端之间的漏洞。 + +但如果有人可以这样做,他们能"绕过SSL并拿到原始数据...这是一个相当严重的问题"。 + +但是,从理论上讲任何人都可以利用Heartbleed漏洞来攻击SSL服务器。攻击并利用此漏洞需要能接触到客户端和服务器之间的通信网络。例如,成功的攻击可能会作出与假咖啡屋Wi-Fi接入点,被用于连接的Android版本的Chrome网络浏览器和一个未安装修补程序的Web服务器。幸运的是,谷歌[已经发布了更新的版本的浏览器][8],35.0.1916.141,以消除此问题。 + +Cox,最易受攻击的系统是未安装修补程序的Android设备使用一个假的Wi-Fi热点。Morrell补充说因为Android用户在他们的手机供应商和电信公司面前属于弱势,安全漏洞更新前他们可能会受漏洞影响相当长的时间。 + +幸运的是,如果他们用连接的服务器已经更新,他们仍然不会受到攻击。 + +OpenSSL安全社区自5月初以来已经知道这个问题。工作组与Red Hat、其他主要Linux和开源组和硬件供应商,不只是简单修补bug就面对了很多麻烦,但采取下一步骤是测试修复,这样他们可以确认(如任何人都可以在安全) 它会修复漏洞,但也不引入任何新的安全问题并可在大多数 OpenSSL服务器和客户端的组合上工作。 + +现在,该修补补丁就在那里,OpenSSL想巩固事实,以及修补补丁,向公众表明对这些问题不必有任何不必要的恐慌。Cox添加主要的Linux供应商,如Red Hat和Ubuntu,已经有可用的修补程序。 + +所有的管理员需要做的是对所有服务器都要下载并安装补丁,而不是证明安全危机然后这将业务照常进行。 + +-------------------------------------------------------------------------------- + +via: http://www.zdnet.com/new-openssl-breech-is-no-heartbleed-but-needs-to-be-taken-seriously-7000030273/ + +译者:[lolipop](https://github.com/stduolc) 校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出 + +[1]:http://www.zdnet.com/another-serious-gnutls-bug-exposes-linux-clients-to-server-attacks-7000030205 +[2]:http://www.zdnet.com/openssl-fixes-another-severe-vulnerability-7000030253/ +[3]:http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-7000028166 +[4]:https://www.imperialviolet.org/2014/06/05/earlyccs.html +[5]:http://www.zdnet.com/corporations-put-their-cash-where-their-open-source-security-is-7000030023/ +[6]:http://www.nttcomsecurity.com/us/ +[7]:http://ec.libsyn.com/p/6/a/5/6a58036510bae37c/CloudEvangelistPodcast_Ep92_MarkCox.mp3?d13a76d516d9dec20c3d276ce028ed5089ab1ce3dae902ea1d06c88537d1ce596fdc&c_id=7251647) +[8]:http://googlechromereleases.blogspot.com/2014/06/chrome-for-android-update.html \ No newline at end of file