Share this page!

Filippo Valsorda Profile picture
Twitter logo
Nov 1 12 tweets 5 min read
Why don't we release CVE numbers with pre-announcements?

It would be very convenient to name tools and write docs and open issues in advance. The point of CVEs is to get everyone talking about the vuln with the same name, and we are all talking about it already. #OpenSSL
Alright, configured a pretty vanilla Fly.io VM with OpenSSL 3.0.6 to act as a lab. Should be fun. #OpenSSL
Oh, what if I live-streamed looking into the vulnerability when it drops?
Alright, I'll do that at twitch.tv/filosottile!

I'll announce here when we are going live. #OpenSSL
The advisory isn't out yet, but the OpenSSL 3.0.7 source archive is.

Here's a rough diff. (There might be some artifacts, as the base comes from git.)

gist.github.com/FiloSottile/61…

This is the changelog: potential RCE or crash in name constraint checking. Happens after checking signatures, so requires the attacker to have a trusted certificate or the victim to skip verification.

Doesn't seem to affect servers that don't accept client certificates. * Fixed two buffer overflo...
"Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH." #OpenSSL

openssl.org/news/secadv/20…
Cooled down takes on yesterday's vulns.

I think the CRITICAL to HIGH downgrade was fine. Better than erring on the other side, anyway.

"Why did this make into a release" might be the most important post-mortem conversation, though.

Writing a Cryptography Dispatches issue focusing on the two high-level lessons I care about in the #OpenSSL vulnerability story:

- why was this not caught in testing

- why was this code even necessary (spoiler: it's the spec!)

Subscribe here: filippo.io/newsletter 📮

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Filippo Valsorda

Filippo Valsorda Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @FiloSottile

Filippo Valsorda Profile picture
Aug 5
I implore you, don’t give a mundane FOIA lawsuit more attention than it deserves.

It’s 2022, we should all be inoculated against people “just asking questions” and spinning loose facts into conspiracy theories.

Ask yourself if you’re being sold a story on emotions and why.
This is what I’m talking about. blog.cr.yp.to/20220805-nsa.h…

Bernstein filed a pretty routine FOIA lawsuit, which is fine, he should win, great.

You only find out in the last ten paragraphs, though. First there’s him implying scientist were bribed in “just asking questions” style. Some people seem to be unable to rationally consider the pos
It’s honestly a little sad and I wish I could just look away, but this rhetoric does real damage.

When his schemes won’t get picked by NIST, people will think it’s because they are not backdoored, and will point at the FOIA lawsuit as evidence.
Read 7 tweets
Filippo Valsorda Profile picture
May 6
I have some personal news 👀

Today is my last day at Google! 🛫🏝🌅

I am leaving to take a long break from full-time employment and explore different ways Open Source maintainers can get paid.

I want to make words.filippo.io/professional-m… a thing, starting with Go cryptography! A drawing of a gopher holdi...
I believe Open Source will change one way or another, so I'm putting my (lack of) money where my mouth is, and doing what I think can best catalyze the change I want: becoming a professional, independent Open Source maintainer myself 👨‍💻💼
Concretely, it will mean pitching companies (maybe you!) on paying me as a contractor to keep doing Go cryptography, age, mkcert, and yubikey-agent work as an independent maintainer, and then being very very public about it 📢 words.filippo.io/pay-maintainer…
Read 9 tweets
Filippo Valsorda Profile picture
Mar 15
Looks like LibreSSL might have spilled what OpenSSL will announce today after 13:00 UTC (which will include a HIGH-severity vuln).

Unbounded loop in BN_mod_sqrt reachable from X.509.

"A malicious certificate can cause an infinite loop."

ftp.openbsd.org/pub/OpenBSD/pa… The patch available from th...
Ah, here's the OpenSSL advisory.

openssl.org/news/secadv/20…

Infinite loop in certificate *parsing* reachable from TLS.

There's a similar issue in Go's math/big but since we don't support custom elliptic curves there is no vector for the attack ✨

In fact, we're working to make all of math/big unreachable from crypto packages.

Relentless complexity reduction kills vulns.

Read 4 tweets
Filippo Valsorda Profile picture
Dec 30, 2021
Damn. @zx2c4 has been the Linux random driver maintainer for like a hot minute, and /dev/[u]random is now 100% SHA-1 free and 370% faster. Amazing.

lore.kernel.org/lkml/202112231…
lore.kernel.org/lkml/202112301…
@zx2c4 When I say a hot minute, the MAINTAINERS patch was mailed 30 days ago. lore.kernel.org/lkml/202111301…

You might know @zx2c4 for making Wireguard (and getting it into Linux).
In case you missed it, the Linux CSPRNG is pretty good these days!

The extraction has been using ChaCha20 for a while. What just changes is that the entropy mixing will now use Blake2, which makes a lot of sense since it's the same core as ChaCha20.

buttondown.email/cryptography-d…
Read 4 tweets
Filippo Valsorda Profile picture
Dec 28, 2021
Watching @tqbf arguing on HN with someone who is lamenting the lack of authentication in age, and here's the thing... age does provide authentication.

I am just wary of advertising because I'm afraid that authentication in a multi-recipient scenario is hard to reason about.
@tqbf Specifically, I believe it is in fact impossible to generate an age ciphertext that will successfully decrypt for an unknown identity/recipient.

(I have not put in the effort to prove this, as it's not an advertised security property of age. Consider it a freebie.)
Why is this tricky? Because it means the recipient (the public key) becomes a sort of encrypting/authentication secret key.

Also, if a message is encrypted to A, B, C, then B and C can modify the file so that A will accept it without knowing A.
Read 5 tweets
Filippo Valsorda Profile picture
Jan 29, 2021
Exploitable heap overflow in libgcrypt 1.9.0 (┛ಠ_ಠ)┛彡┻━┻

It's the crypto library that gpg uses. Homebrew has 1.9.0 right now. 🚨

dev.gnupg.org/T5259
It's in cipher/hash-common.c (!) and looks like it's hit when extra data is hashes after finalizing the hash.

Doing that is a partial mitigation for timing side channels on the length of a hashed message. Very partial.

dev.gnupg.org/rC512c0c752769…
Reported-by: Tavis Ormandy <taviso@gmail.com>

👋 @taviso
Read 19 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(