Although “0day” is most commonly used in the context of severe security issues exploited in the wild, its only real meaning is that a flaw was revealed publicly without a patch being available. Although the Confluence thing I tweeted is one, in context it’s not a systemic threat
-
Show this thread
-
Replying to @SwiftOnSecurity
Indeed, the term "0day" conjures something important enough for the media to salivate over. But as you mentioned, it's just a relation between knowledge of an issue and the fix availability. In your case, you simply pointed to public vendor documentation. So maybe not even 0day?
1 reply 0 retweets 7 likes -
Replying to @wdormann
I think the fact the private key was extracted (which I didn’t do) slightly qualifies but yes it’s pretty marginal.
1 reply 0 retweets 12 likes -
Replying to @SwiftOnSecurity
Will Dormann Retweeted Will Dormann
The private key was sitting in plain sight. Any time an HTTPS connection referred to by DNS name connects to localhost (as described in the Atlassian documentation), one should probably assume shenanigans.https://twitter.com/wdormann/status/1202267460235337728 …
Will Dormann added,
1 reply 0 retweets 3 likes -
Replying to @wdormann
To be fair there is software that generates a unique key on the device so it’s a good bet but not always
2 replies 0 retweets 7 likes -
Replying to @SwiftOnSecurity
Sure. But that requires that the CA that generates the certificate *also* uses a unique-per-installation CA private key, *and* that the CA is installed into the trusted root CA list in the OS where the software is installed. Not impossible, but expect mistakes (e.g. Superfish).
1 reply 0 retweets 1 like -
Hmm, there were two links when I tweeted that. The Universal ADB Driver installer generates a CA, adds it to the system with driver signing permissions, signs the driver, deletes the private key. Not sure how solid the implementation is. https://github.com/koush/UniversalAdbDriver/blob/master/UniversalAdbDriverInstaller/Program.cs#L198 …
1 reply 0 retweets 1 like
Twitter only "prettifies" the last link in a post. They're both there. Anyway, without having looked at that specific implementation, that's conceptually how it'd be done.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.