My first CVE. Guess I'm a real security engineer now?
-
-
A fitting time to link this paper again: https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf …
- 1 more reply
New conversation -
-
-
@bascule did you fix with RFC6125 compliant validator? Or check name constraints in CN despite no RFC telling you you need to? :D -
@sleevi_ the fix was "hey OpenSSL, you figure it out". So uh, you tell me? -
@bascule link to source? Several ways to botch :/ -
@bascule yup. Can think of two or three ways you could pop Ruby but not a browser... -
@sleevi_ so far: not verifying the chain, not verifying the hostname, and “custom” unmanaged truststores… -
@sleevi_ I am guessing there are many Ruby client libs that are vulnerable to at least one of those
End of conversation
New conversation -
-
-
@bascule btw, you going to transact? -
@asshurtACKFlags umm, gonna go with no -
@bascule it's gonna be so cash dude, see ya there!
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.