Einschränkung der Auswahl
Alle Artikel aus
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2008/2009
oder nur Artikel des
• Entwickler Magazin aus
2019
2018
2017
2016
2015
2014
2013
2012
2011
2008-2010
alle (lang!)
• Mobile Technology aus
2019
2016
2015
2014
2012/2013
alle (lang!)
• PHP Magazin / PHP User aus
2019
2018
2017
2016
2015
2014
2013
2012
2011
2009/2010
alle (lang!)
• windows.developer / dot.Net Magazin aus
2019
2018
2017
2016
2015
2014
2013
2012
2008-2011
alle (lang!)
• oder der anderen Magazine
Entwickler Magazin 1.2015 - Herzbluten, ein bissiger Poodle und Co.
Im
Entwickler Magazin 1.15
ist ein Artikel über die Angriffe auf SSL/TLS und deren
Implementierungen im Jahr 2014 erschienen. Denn mit Heartbleed (OpenSSL),
Poodle (SSL/TLS), dem Triple-Handshake-Angriff (TLS), der
GOTO-FAIL-Schwachstelle in Mac OS X und iOS und BERserk (NSS Library)
waren die 2014 ganz schön gebeutelt.
Links
- [1] Is The Internet On Fire?
- [2] Carsten Eilers: "Quo vadis, SSL?"; Entwickler Magazin 4.2012
- [3] OpenSSL Security Advisory [07 Apr 2014]
- [4] CVE-2014-0160
- [5] Heartbleed Bug
- [6] Bruce Schneier; Schneier on Security: "Heartbleed"
- [7] RFC 6520 - Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension
- [8] Tomas Rzepka, @1njected auf Twitter: "We can extract the private key successfully on FreeBSD ..."
- [9] Robert Graham; Errata Security: "What the heartbleed bug looks like on the wire"
- [10] Dan Goodin; Ars Technica: "Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style"
- [11] Carsten Eilers: "Neues zum Heartbleed Bug in OpenSSL"
- [12] Sean Gallagher; Arc Technica: "Heartbleed vulnerability may have been exploited months before patch [Updated]"
- [13] Peter Eckersley; Electronic Frontier Foundation: "Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013?"
- [14] Carsten Eilers: "Nutzt die NSA den Heartbleed Bug seit 2 Jahren?"
- [15] Christopher Glyer, Chris DiGiamo; M-unition: "Attackers Exploit the Heartbleed OpenSSL Vulnerability to Circumvent Multi-factor Authentication on VPNs"
- [16] Mumsnet: "The Heartbleed security breed - and what to do"
- [17] Leo Kelion; BBC: "Heartbleed hacks hit Mumsnet and Canada's tax agency"
- [18] Canada Revenue Agency: "Notice - Heartbleed bug vulnerability"
- [19] Royal Canadian Mounted Police: "RCMP Statement regarding Heartbleed"
- [20] Royal Canadian Mounted Police: "Heartbleed Bug Hacker Charged by RCMP"
- [21] Bundesamt für Sicherheit in der Informationstechnik: ""Heartbleed Bug": BSI sieht weiteren Handlungsbedarf"
- [22] Uli Ries, Ronald Eikenberg; Heise Security: "Zugriff auf SMS-Nachrichten und Tor-Traffic dank Heartbleed"
- [23] United States Securities and Exchange Commission: "FORM 8-K: Community Health Systems, Inc"
- [24] TrustedSec: "CHS Hacked via Heartbleed Vulnerability"
- [25] Carsten Eilers: "Heartbleed: Problematische Zertifikats-Rückrufe"
- [26] Carsten Eilers: "Das große Problem mit den Patches und Updates"
- [27] Bodo Möller; Google Online Security Blog: "This POODLE bites: exploiting the SSL 3.0 fallback"
- [28] Bodo Möller, Thai Duong, Krzysztof Kotowicz: "This POODLE Bites: Exploiting The SSL 3.0 Fallback" (PDF)
- [29] CVE-2014-3566
- [30] RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0
- [31] Carsten Eilers: "BEAST - Ein neuer Angriff auf SSL und TLS 1.0"
- [32] Carsten Eilers: "About Security #117: Mobile Security — WLAN-Hotspots"
- [33] Bode Möller, Adam Langley; IETF Draft: "TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks"
- [34] OpenSSL Security Advisory [15 Oct 2014]
- [35] Microsoft Security Advisory 3009008: "Vulnerability in SSL 3.0 Could Allow Information Disclosure"
- [36] Apple: "About Security Update 2014-005"
- [37] Apple: "About the security content of OS X Yosemite v10.10"
- [38] Qualys SSL Labs: SSL Server Test
- [39] ISC: SSLv3 Poodle Attack Check
- [40] Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering, Jacob Schuldt: "On the Security of RC4 in TLS and WPA"
- [41] Matthew Green; A Few Thoughts on Cryptographic Engineering: "Attack of the week: RC4 is kind of broken in TLS"
- [42] Jacob Appelbau, @ioerror auf Twitter: "@matthew_d_green @JoeBeOne @ln4711 RC4 is broken in real time by the #NSA - stop using it."
- [43] William Peteroy; Security Research & Defense Blog: "Security Advisory 2868725: Recommendation to disable RC4"
- [44] Microsoft Security Advisory 2868725: Update for Disabling RC4
- [45] Triple Handshakes Considered Harmful - Breaking and Fixing Authentication over TLS
- [46] Carsten Eilers: "Neuer Angriff auf TLS beim Einsatz von Client-Zertifikaten"
- [47] Carsten Eilers: "Der Triple Handshake Angriff auf TLS im Web"
- [48] Apple: "About the security content of iOS 6.1.6"
- [49] Apple: "About the security content of iOS 7.0.6"
- [50] Apple: "About the security content of Apple TV 6.0.2"
- [51] CVE-2014-1266
- [52] Apple: "About the security content of OS X Mavericks v10.9.2 and Security Update 2014-001"
- [53] Apple: sslKeyExchange.c
- [54] pencilo; Hacker News: "Take a look at http://opensource.apple.com/source/Security/Security-55471/l..."
- [55] Adam Langley; ImperialViolet: "Apple's SSL/TLS bug (22 Feb 2014)"
- [56] Steven M. Bellovin; SMBlog: "Goto Fail"
- [57] Steven M. Bellovin; SMBlog: "Speculation About Goto Fail"
- [58] CVE-2014-1568
- [59] Daniel Veditz; Mozilla Security Blog: "RSA Signature Forgery in NSS"
- [60] Mike Fey; McAfee Blog: "What you need to know about ”BERserk” and Mozilla"
- [61] Mozilla Foundation Security Advisory 2014-73: RSA Signature Forgery in NSS
- [62] Mozilla Bug 1064636 - (CVE-2014-1568) RSA PKCS#1 signature verification forgery is possible due to too-permissive SignatureAlgorithm parameter parsing
- [63] Intel Security - Advanced Threat Research: "BERserk"
- [64] Intel Security - Advanced Threat Research: BERserk Vulnerability - Part 1: RSA signature forgery attack due to incorrect parsing of ASN.1 encoded DigestInfo in PKCS#1 v1.5 (PDF)
- [65] Intel Security - Advanced Threat Research: BERserk Vulnerability - Part 2: Certificate Forgery in Mozilla NSS (PDF)
- [66] Carsten Eilers: "About Security #102: Hashfunktionen - Einführung"
- [67] Carsten Eilers: "About Security #103: Hashfunktionen - MD4 und Verwandte"
- [68] Carsten Eilers: "About Security #104: Hashfunktionen - Sicherheit"
- [69] Carsten Eilers: "Wer braucht SHA-3?"
- [70] Carsten Eilers: "2013 - Die Zukunft hat schon begonnen!"
- [71] NIST Special Publication 800-131A: "Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths" (PDF)
- [72] Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen: "Bekanntmachung zur elektronischen Signatur nach dem Signaturgesetz und der Signaturverordnung (Übersicht über geeignete Algorithmen)"
- [73] Bundesamt für Sicherheit in der Informationstechnik (BSI): Technische Richtlinie BSI TR-02102-1: Kryptographische Verfahren: Empfehlungen und Schlüssellängen
- [74] Microsoft Security Advisory 2880823: "Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program"
- [75] William Peteroy; Security Research & Defense Blog: "Security Advisory 2880823: Recommendation to discontinue use of SHA-1"
- [76] Adam Langley; ImperialViolet: "SHA-256 certificates are coming (14 May 2014)"
- [77] Ryan Sleevi; blink-dev Mailing List: "Intent to Deprecate: SHA-1 certificates"
- [78] Mozilla Security Engineering Team; Mozilla Security Blog: "Phasing Out Certificates with SHA-1 based Signature Algorithms"
- [79] Paul Mutton; Netcraft: "SHA-2: Very cryptographic. So secure. Such growth. Wow."
- [80] Carsten Eilers: "Heute aufgezeichnet – morgen entschlüsselt?"; PHP Magazin 5.2014