[Edbrowse-dev] freak attack

[Edbrowse-dev] freak attack

[Karl Dahlke]

I also get the ssl connect error, and that's probably a good thing.
Perhaps the site cannot downshift the encryption to a weak level.

Karl Dahlke

Re: [Edbrowse-dev] freak attack

[Adam Thompson]

[-- Attachment #1: Type: text/plain, Size: 445 bytes --]

On Thu, Mar 05, 2015 at 11:10:24AM -0500, Karl Dahlke wrote:
> I also get the ssl connect error, and that's probably a good thing.
> Perhaps the site cannot downshift the encryption to a weak level.

I'm not sure about the test site, but from the looks of things I think if you
upgrade your openssl library you'll be fine.
From what I've seen of openssl, in general you should be updating this fairly
regularly anyway.

Cheers,
Adam.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [Edbrowse-dev] freak attack

[Chris Brannon]

Adam Thompson <arthompson1990@gmail.com> writes:

> I'm not sure about the test site, but from the looks of things I think if you
> upgrade your openssl library you'll be fine.

Ok, here's the message I sent to Karl yesterday:

<quote>
Well, the freakattack.com site now has a test that doesn't rely on
JavaScript.  Try fetching the page
https://cve.freakattack.com/
If it loads without errors, then your client is vulnerable, and the
response is a plain text message saying "vulnerable".
On my main machine, there is an error when I try to connect.
It looks like this:

SSL connect error in libcurl:
error:1408D0F4:SSL routines:ssl3_get_key_exchange:unexpected message

However, the statically-linked edbrowse binaries are vulnerable.
It's been a few months since I've rebuilt them, so I need to refresh all
the packages on the virtual build machines and rebuild them.
For now, I've just pulled them from the site.
</quote>

I rebuilt and re-uploaded new static binaries after sending that,
so anyone who is using them needs to get the new ones ASAP.

As for the rest of us, all we need to do is make sure our libraries are
all up to date and free of issues.

-- Chris

Re: [Edbrowse-dev] freak attack

[Adam Thompson]

[-- Attachment #1: Type: text/plain, Size: 1531 bytes --]

On Fri, Mar 06, 2015 at 01:32:58PM -0800, Chris Brannon wrote:
> Adam Thompson <arthompson1990@gmail.com> writes:
> 
> > I'm not sure about the test site, but from the looks of things I think if you
> > upgrade your openssl library you'll be fine.
> 
> Ok, here's the message I sent to Karl yesterday:
> 
> <quote>
> Well, the freakattack.com site now has a test that doesn't rely on
> JavaScript.  Try fetching the page
> https://cve.freakattack.com/
> If it loads without errors, then your client is vulnerable, and the
> response is a plain text message saying "vulnerable".
> On my main machine, there is an error when I try to connect.
> It looks like this:
> 
> SSL connect error in libcurl:
> error:1408D0F4:SSL routines:ssl3_get_key_exchange:unexpected message
> 
> However, the statically-linked edbrowse binaries are vulnerable.
> It's been a few months since I've rebuilt them, so I need to refresh all
> the packages on the virtual build machines and rebuild them.
> For now, I've just pulled them from the site.
> </quote>
> 
> I rebuilt and re-uploaded new static binaries after sending that,
> so anyone who is using them needs to get the new ones ASAP.
> 
> As for the rest of us, all we need to do is make sure our libraries are
> all up to date and free of issues.

Thanks for being so on top of this issue.
Given the nature of Edbrowse and the current security climate,
I wonder if we need an automated system to rebuild these if we don't have one 
already?

Cheers,
Adam.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [Edbrowse-dev] freak attack

[Chris Brannon]

Adam Thompson <arthompson1990@gmail.com> writes:

> I wonder if we need an automated system to rebuild these if we don't have one 
> already?

Well, we definitely don't have one already.  Here's what I do.
I have a couple qemu hard disk images of Alpine Linux: one for i686 and
one for x86_64.
Alpine doesn't package a static readline library, and in fact, I don't
think there's a clean way to build it in their ports system.  But I'm a
persistent fellow; I made static readline build for me.
I also had to build Spidermonkey from source.
So that's my infrastructure.
I have a slightly customized makefile for building the static binaries,
since the linker invocation requires that I specify a bunch of
additional libraries that are pulled in automatically when linking
dynamically.

So now it's basically a matter of:
1. Booting my virtual machines,
2. Insuring that their system libraries are all up to date,
3. Building edbrowse and taring up the resultant binaries [1]
4. Copying them to my development machine
5. Signing the tar files with gpg
6. Uploading them to my web server.

Most of that can be automated, with the possible exception of step 2.
Is it worth the trouble?  Maybe not right now.  But it's definitely
worth the 10 minutes it took me to document it, because if I get hit
by a bus or something, you guys can recreate my process if you want.

-- Chris