Date: Tue, 14 Oct 2014 22:48:00 -0700 From: Walter Parker <walterp@...il.com> To: oss-security@...ts.openwall.com Subject: Re: Truly scary SSL 3.0 vuln to be revealed soon: Yea, reposting a link to an Internationally read news site doesn't seem like much of an issue. Posting the exploit code a week ahead of time, maybe, but reposting that there is a problem in a 15 year protocol that uses parts with known weaknesses, which was to be released less than 12 hours later, doesn't look like a problem. What is this list's policy on Full Disclosure? What is this list's policy on sourced/unsourced security rumors? Why do people on lists like this seem to think that censoring themselves and others will actually do any good. That somehow the oss-security post will be the straw that broke the camel's back and not the Internationally read news site (or all the black hat/pirate sites)? How many posts to oss-security are patient zero for embargo breaking? What about just responsible for any cracking happening in the real world? On Tue, Oct 14, 2014 at 10:28 PM, Sona Sarmadi <sona.sarmadi@...a.com> wrote: > Thanks Hanno, > > A reflection: Maybe we shouldn't post information like this here or > somewhere else which is not published yet even if the information has leak > out? Although all members here are reliable but it is still an open mailing > list and we should be careful and act more responsible. > > Cheers > Sona > > > It's out: > > > > https://www.openssl.org/~bodo/ssl-poodle.pdf > > http://googleonlinesecurity.blogspot.de/2014/10/this-poodle-bites- > > exploiting-ssl-30.html > > > > My conclusion stays the same: Disable SSLv3. > > > > -- > > Hanno Böck > > http://hboeck.de/ > > > > mail/jabber: hanno@...eck.de > > GPG: BBB51E42 > -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ