Shared posts

10 Apr 17:57

#310035

<ioiom63> I went to the doctor, and I had to fill out these papers, right?
<ioiom63> They must use the same papers for men and women, because I had to fill in whether or not I was pregnant.
<ioiom63> I'm a bit of a dick, so I wrote "You never know!"
<ioiom63> 30 minutes later a nurse is VERY angry with me because they're extremely busy already and I've just made things worse...
<ioiom63> ...because if a patient gives any indication of being unsure whether or not they are pregnant, the staff are legally required to take the time to do a pregnancy test.
<ioiom63> Apparently the rule does not also state "...but only if the patient is female."
<ioiom63> Long story short, I am most definitely NOT pregnant.
16 Apr 04:50

Bacon & Egg Muffin Cups

by Paul

Bacon & Egg Muffin Cups (via Pretty Palate)

Bacon & Egg Muffin Cups

 

15 Apr 20:34

Heartbleed: Revoke! The time is nigh!

by Paul Mutton

As the results of CloudFlare's challenge have demonstrated, a server's private key can be extracted using the Heartbleed vulnerability. Consequently, the 500,000+ certificates used on web servers supporting TLS heartbeat should be urgently replaced and revoked. Whilst the replacement and revocation process has begun — 80,000 certificates have been revoked since the announcement — it is far from over.

Private key extraction is real

CloudFlare, which uses a modified version of the nginx web server, originally thought it would be extremely hard or impossible to use the Heartbleed bug to steal a certificate's private key from an nginx server. However, this was quickly proved wrong last week after CloudFlare set up a vulnerable website and challenged people to steal its private key. Later on the same day, the private key had been successfully stolen by exploiting the Heartbleed bug.

Fortunately, CloudFlare decided to play it safe and planned to reissue and revoke potentially affected certificates anyway. CloudFlare also acknowledges that the revocation process is far from perfect and not suitable at mass scale: "If every site revoked its certificates, it would impose a significant burden and performance penalty on the Internet". CloudFlare's own website at cloudflare.com started using a new SSL certificate yesterday, despite the new certificate being marked as valid from 10 April 2014.

Akamai is also planning to rotate all of its customers' SSL certificates after realising a flaw in its recent patch which it originally believed would protect users against the Heartbleed bug. Akamai is notable for its content delivery network of more than 61,000 servers, which they claim delivers 15-20% of all web traffic.

There are already reports that Heartbleed has been used to compromise secure web sites including Canada's tax agency and popular UK web forum Mumsnet.

Revocation is critical (even if it doesn't always work)

As of this morning (Tuesday 15th April), more than 80,000 certificates have been revoked since the public announcement of the vulnerability on 7th April.


The Heartbleed bug has caused a rise in certificate revocations, but the rate predictably fell over the weekend.

Based on list prices, the cost of replacing all of the potentially-compromised certificates with completely new certificates is more than $100 million, but, helpfully, most (but not all) certificate authorities are allowing their customers to reissue and revoke certificates for free. Nonetheless, plenty of the affected websites (e.g. Etsy, Yahoo, GitHub, Steam) appear to have bought new certificates instead of going through the reissuance process, as the new expiry dates are significantly later than the expiry dates in the previous certificates. Perhaps in the haste of resolving the problem, this seemed the easiest approach, making Heartbleed a bonanza for certificate authorities.

While some companies quickly recognised the need to issue new certificates in response to the Heartbleed bug, the number of revocations has not kept up. This is a mistake, as there is little point issuing a new certificate if an attacker is still able to impersonate a website with the old one.

Yahoo was one of the first companies to deploy new SSL certificates after the Heartbleed bug became public knowledge, but the certificate that was previously used by mlogin.yahoo.com has not yet been revoked — it has not been placed on a CRL, and the certificate's OCSP responder says the certificate is "good".

Yahoo is not the only company to have issued a new certificate without ensuring that the previously vulnerable certificate has been revoked. Other sites which fall into this category include banking websites (such as entry7.credit-suisse.ch), the United States Senate large file transfer system at lfts.senate.gov, and GeoTrust's SSL Toolbox at https://ssltools.geotrust.com/checker/ (GeoTrust is a brand owned by Symantec, the largest certificate authority).

Thousands of certificates could still be misused after being revoked

Critically, some of the certificates affected by the Heartbleed bug will remain usable even if revoked: Nearly 4% of the certificates do not specify a URL for an OCSP responder, which means that they can only be revoked via a CRL. This makes the certificates effectively irrevocable in some browsers — for example, the latest version of Mozilla Firefox no longer uses CRLs at all (previously it would fall back to checking a CRL if an OCSP request failed, but only for Extended Validation certificates).

Worse still, a small number of the certificates that could have been compromised through exploitation of the Heartbleed bug fail to specify either an OCSP or a CRL address. These certificates are therefore completely irrevocable in all browsers and could be impersonated until their natural expiry dates if an attacker has already compromised the private keys.

For example, Telecom Italia (a sub-CA of Verizon Business) is still using an irrevocable certificate on www.cloudpeople.it, which supported the TLS heartbeat extension prior to the disclosure of the Heartbleed bug. The 3-year certificate was issued by I.T. Telecom Global CA at the end of 2011 and will remain valid until the end of 2014 because it does not permit either form of revocation.

CRLs will balloon as a result of the surge of revocations

To obtain the certificate revocation lists (CRLs) used by each publicly trusted certificate authority, a web browser would need to download more than 100MB of data. These CRLs will grow by about 35% if all of the certificates affected by the Heartbleed bug were revoked. Downloading this much data is clearly impractical for many mobile devices, and several CRLs either time-out or take more than a minute to download, even from a desktop machine with a fast internet connection. This goes against the CA/Browser Forum's Baseline Requirements, which expect CAs to provide response times of less than 10 seconds.

The largest CRL (11MB) is operated by the US Department of the Treasury, and despite containing more than 200,000 revocation entries, it is only used by one publicly accessible certificate. Nonetheless, any browser wishing to perform a CRL check for that one site will have to download the whole list. Governments also feature amongst the worst-performing CRLs: For example, the Taiwanese government offers a CRL at http://hcaocsp.nat.gov.tw/repository/HCA/CRL/complete.crl, which would not respond when tested earlier today, and the Brazilian government offers several CRLs from its site at repositorio.icpbrasil.gov.br, but each took 2-3 minutes to download, despite being of relatively modest sizes.

12 Apr 17:56

"Show us the meaning of haste, Shadowpig!" [x]





"Show us the meaning of haste, Shadowpig!" [x]

11 Apr 13:35

Mario Kart IRL. [zdedwards]



Mario Kart IRL. [zdedwards]

11 Apr 04:00

Heartbleed Explanation

Are you still there, server? It's me, Margaret.
01 Apr 06:02

Signs for fake mayor candidadates in Toronto

by biotv
Anti-Rob Ford non-profit organization No Ford Nation - created as a reaction to the mayor and his brother's Ford Nation - promises a new kind of mayor for Toronto, with three new electoral signs that popped up in the city yesterday.




Canada.com
07 Apr 12:35

Facehugger

Cat gets too close to octopus. - AnimalsBeingDicks.com

Movie Trivia: The original version of Alien didn’t cast Sigourney Weaver in the lead role. She ultimately landed the role when it was learned that the original lead, Mitzy the Cat, had a debilitating allergic reaction to cephalopods. 

03 Apr 07:05

justinaireland: gothiccharmschool: In times of trouble Ellen...













justinaireland:

gothiccharmschool:

In times of trouble

Ellen Ripley comes to me 

Speaking words of wisdom

Nuke the entire site from orbit, it’s the only way to be sure.

I need to rewatch this movie.
04 Apr 01:50

“Open Network Linux” could boost viability of vendor-neutral switches

by Jon Brodkin

LAS VEGAS—The Facebook-led Open Compute Project has spent the past year building an “open” switch that can boot nearly any type of networking software, giving customers more alternatives to proprietary switch vendors like Cisco.

Intel, Broadcom, Mellanox, and Cumulus Networks jumped on board last November, contributing specifications and software that will bring the project closer to a finished design. They weren’t alone, though: Software-defined networking vendor Big Switch Networks, in January, donated what it calls Open Network Linux (ONL) to the project.

In an interview with Ars at this week’s Interop conference in Las Vegas, newly appointed Big Switch CEO Douglas Murray explained the company’s reasons for getting involved. As Big Switch noted in its announcement, ONL is “the Linux distribution for bare metal switches that runs underneath our commercial Switch Light OS. ONL’s goal is to give people deploying OCP [Open Compute Project] switches a simplified experience with a standard Linux distribution that comes prepackaged with all of the relevant drivers, loaders, and platform-independent goodness. If ONL is successful and becomes a popular distribution for open network hardware, it will also mean less integration work for hardware and software vendors and thus fewer bugs and other surprises once ONL-based products get to end customers.”

Read 15 remaining paragraphs | Comments

05 Apr 20:43

[slayd7]



[slayd7]

05 Apr 02:18

Photo



03 Apr 19:30

Photo















02 Apr 04:28

Dedication. [x]



Dedication. [x]

31 Mar 16:51

Scientifically Unproven Facts [via]Previously: Amazing Ocean...











Scientifically Unproven Facts [via]

Previously: Amazing Ocean Facts

31 Mar 21:40

my god you’re right!



my god you’re right!

31 Mar 20:55

asparkofinsanity: #i can smell somone cooking shitty food #my...

29 Mar 17:00

It’s Time To End The Shift On A High

Call Center | Huntsville, AL, USA

(I’m just finishing up a call with a pleasant customer, my last call for the day. Because of mandatory overtime, I’ve been at work for almost 12 hours straight and can’t wait to leave.)

Me: “Is there anything else I can help you with, sir?”

Customer: “Hang on. My daughter wants to ask you a question.”

Me: “Okay.”

(I hear the customer hand the phone to his daughter. She sounds very young: probably three or four.)

Girl: “Hi!”

Me: “Hi, there! How are you?”

Girl: “Good. Hey, do you know what time it is?”

Me: *playing along* “No, sweetie. What time is it?”

Girl: “It’s peanut butter jelly time! Peanut butter jelly time! Peanut butter jelly! Peanut butter jelly! Peanut butter jelly and a baseball bat!”

Customer: “Sorry about that. She just HAS to sing it every time I’m on the phone.”

Me: *laughing really hard* “It’s perfectly fine, sir. I can’t think of a better way to end my shift!”

29 Mar 18:09

bagmilk: niknak79: Physics! this man has been decapitated and...



bagmilk:

niknak79:

Physics!

this man has been decapitated and all you have to say is “physics!”??? wow….

28 Mar 04:00

March 28, 2014


25 Mar 00:14

[happyjar]

21 Mar 19:33

Photo



21 Mar 15:20

Twitter / utku: “Twitter is blocked in Turkey. On the...



Twitter / utku: “Twitter is blocked in Turkey. On the streets of Istanbul, the action against censorship is graffiti DNS addresses.”

22 Mar 02:09

Photo



16 Mar 18:32

When the master race still had it's flaws

21 Mar 07:01

From Loki

by Doug

From Loki

Inspired by yesterday’s Sketch Dailies theme: Thor! Here are more heroes.

14 Mar 16:02

riebeckite: veronicaslides: gray-firearms: Train don’t give a...

by thehilariousblog




riebeckite:

veronicaslides:

gray-firearms:

Train don’t give a fuck

CHOO CHOO MOTHER FUCKER SUCK MY DICK

~Dashing though the snow~

GET THE FUCK OUT OF MY WAY

15 Mar 04:20

[via]



[via]

14 Mar 00:00

I think my local Target is trying to tell me something. [x]



I think my local Target is trying to tell me something. [x]

06 Mar 13:59

GIF | 800.gif

800.gif