RNGs are used, for example, to live up open world games without the developers having to code every single section of forests and roads and deserts. Instead, developers code some possibilities and let chance determine what happens when the player reaches a certain point in the map.
> With this argumentation a browser which lets anybody do a man in the middle attack on HTTPS connections and thus sniff your passwords is still fully functional.Correct. If a browser is used only inside the internal network then it's perfectly fine to not use HTTPS authentication or even HTTPS in the first place.Moreover, trying to "secure" browser by installing additional certificates might be a bad idea if their private keys are not managed correctly.> I think it is fine to explicitly switch off security if you don't need it. But I don't think that security should be off by default and that the developer needs to explicitly enable it, because in this case most developers will not do it as the past has shown.Nobody cares about security if their business-critical application is hard-down.> I very much doubt this. First it was possible all the years to add certificates to the systems CA store. Then even ssl.wrap_socket in python 2.6 had the ca_certs argument which let you specify your own CA store. And modules like requests also made use if this.Except that nobody did this. Watchdog doesn't care about security (only about reachability) and works only inside the trusted local network. If somebody is doing MITM in it, then it's already screwed.So developers quite explicitly have chosen not to care about certificates and simply used the defaults.> If you consider this as a feature you are right. If you consider this a bug (like I do) then it should be fixed as soon as possible because it is a security problem.Can you provide your address? I'm going to cut off your power lines because the SCADA system on your power plant is likely to be vulnerable. So you MUST get a local battery backup and a generator. Otherwise YOU'RE NOT SECURE!!!11111111!Would you chose to live for several months without utilities to make sure they are secure? (Log in to post comments) The future of the Python ssl module Posted Jun 5, 2016 8:24 UTC (Sun) by noxxi (subscriber, #4994) [Link]
Shellshock Live Generator
> That's correct. But there is huge difference between insecure in all cases (not checking anything) and insecure in some specific situations (private key compromised).A lot of internal systems use HTTPS just to avoid sending HTTP basic authentication passwords in the clear. However, their private keys are not managed securely so it's easy to pull them off.If you install the certificates for these keys into your CA storage, then you open yourself to _undetectable_ MITM for anybody who obtains these keys.> And nobody cares about "but it was fully functional" if their business-critical passwords are compromised.However the likelihood of this resulting from a MITM attack inside a trusted LAN is way too low. This is NOT a new issue, it has been known for literally a _decade_ and simple probability of being attacked through this vector is way too low.> So yes, it unnecessarily broke your application but on the other hand it probably made lots of other applications more secure.So is turning off the power. And no, I doubt that this whole SSL fiasco succeeded in preventing even one real-world attack.> Would you chose to live without utilities because someone hacked these, like recently happened in the Ukraine?Yes, I would. > But what they probably will not do in a SCADA environment is to upgrade to a new software version without lots of testing, i.e. unlike you in your business critical environment.No. There's a SECURITY (!111!oneoneone!) vulnerability, so they MUST turn off systems that have been working fine for decades in order to protect from one unlikely attack vector. No compromises are possible in the struggle for security! The future of the Python ssl module Posted Jun 5, 2016 23:05 UTC (Sun) by bronson (subscriber, #4806) [Link] 2ff7e9595c
Comments