DROWN attack

AGAlumB
AGAlumB
1Password Alumni
This discussion was created from comments split from: Apple vs the Feds.

Comments

  • wkleem
    wkleem
    Community Member

    @brenty,

    This is off topic but another SSL/TLS vuln has been discovered. And we are supposed to believe that Apple can keep things secure so it never escapes!

    https://drownattack.com/

  • AGAlumB
    AGAlumB
    1Password Alumni

    @wkleem: That is a bit off topic, so I've split this off into a separate discussion. However, I think that's a great question that does relate somewhat to the question of Apple security.

    Now, technically these are pretty different: in the case of Touch ID, the secure enclave is implemented in hardware and is not programmable. It would have to be tested extensively both before, during, and after production, since a hardware bug is irrevocable. And given that what it does is fairly simple (hashing and storing data), it would be surprising for any issues to be found only after many years.

    On the other hand, SSL/TLS support is implemented in software, and has become increasingly complex over the years. In addition to that, companies often implement it themselves (or modify open source implementations), which gives rise to other issues we've seen over the years. But of course a security bug in a reference implementation that many software packages (OS, browser, server, etc.) are based on is how we end up with problems like this (and Heartbleed).

  • wkleem
    wkleem
    Community Member

    Hi

    Will the Agilebits Watchtower be updated for the new DROWN attack? At this point, I have to wonder what's left of SSL/TLS that isn't vulnerable?

  • AGAlumB
    AGAlumB
    1Password Alumni

    Hmm. Good question! Watchtower is geared more toward website breaches (password database dumps, etc.) but it's certainly something we can consider adding. Thanks for bringing this up! :)

  • wkleem
    wkleem
    Community Member

    Thanks Brent.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Any time! :pirate: :+1:

  • wkleem
    wkleem
    Community Member
    edited March 2016

    Looking forward to improvements in 1Password's vulnerability reporting. In other news, Adobe Flash was hit again with more vulns :(

  • AGAlumB
    AGAlumB
    1Password Alumni

    I'll be honest, I stopped reading about Flash vulnerabilities after uninstalling from all my machines it a while back. It was just a liability. When I do run into something that requires Flash, Chrome is my sandbox. I just make sure it's up to date beforehand and I'm good to go. And it isn't often that it even comes up. Almost everything is HTML5 nowadays. :sunglasses:

  • wkleem
    wkleem
    Community Member

    I would be careful about Chrome, not least because it never actually deletes old installations in Windows.

    http://www.ghacks.net/2011/02/14/free-up-disk-space-by-deleting-older-google-chrome-versions/

  • Huh. Interesting. I had not seen that before. Thanks for sharing @wkleem!

    Ben

  • wkleem
    wkleem
    Community Member

    @bwoodruff, those folders are hidden by default and would have to be made visible to be seen.

  • wkleem
    wkleem
    Community Member

    @bwoodruff, your team might want to check Chrome installations on both Macs and Windows PCs for this hidden bloat.

  • In 1Password, @wkleem? I think that is probably a bit outside of the scope of the product.

    If you just mean in general, that we ourselves should check for this on our own installations, then yes, thanks for the heads up. :+1:

    Ben

  • wkleem
    wkleem
    Community Member

    If you just mean in general, that we ourselves should check for this on our own installations, then yes, thanks for the heads up. :+1:

    You're welcome. It wouldn't hurt to check.I have not come across this issue on Chrome 64bit however. YMMV.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited March 2016

    While I'm not super concerned since that doesn't impact security, that's good to know! Thanks for the info! I don't think I have any 32-bit copies of Chrome hanging around still, but as you pointed out, one never knows! :dizzy:

    Edit: It seems like I've only got the current and previous version on my PCs, which seems to mesh with the writer's findings as well:

    Update: Only the two most recent versions of Chrome are kept as of today. It is unclear if what I experienced was a bug or if Google modified the process.

    Weird.

This discussion has been closed.