OpenSSL Bug

Some small remarks about the OpenSSL bug CVE-2014-0160 related to JonDonym:

  1. JonDonym services: JonDonym services (mix cascades, JonDos payment instance, infoservices) and our software (JonDo, JonDoDaemon, JonDoBrowser) are not affected by this bug.

  2. JonDo live-cd/dvd: The software compilation of our live-cd/dvd contains affected software. An security update for our live-cd/dvd with bugfixes is ready for download. If you were using the live-cd/dvd an update is highly recommended!

  3. JonDonym webserver: Our webservers got the software updates yesterday and we will change the SSL certificates soon as possible. Because the certification authorities are under pressure now it may may take a few day to get a certification.

  4. Certificate Patrol in JonDoFox: Many other webservers changed the SSL certificates or will change it within the next days. If you were using the Certificate Patrol implementation of JonDoFox for detecting faked SSL certificates (see: "about:jondofox" or "about:jondobrowser") you will get many false warnings about suspicious certificate changes within the next days like the example of DuckDuckGo below.

    Certificate Patrol warning

    If security is really important, you may check the blog of the service provider for notices about new SSL certificates or you may check the certificate in other ways too. The Perspectives project offers a test website, were you can compare the md5 hash of the SSL certificate you got with the certificate seen by notary servers. For DuckDuckGo I got the result:

    Certificate Patrol warning

    Yesterday five notary servers of Perspectives have seen a new SSL certificate with md5 hash c5:c9:d4:ab:1e:1b:fa:a8:d6:34:99:84:97:2d:cd:2d. The warning presented by Certificate Patrol seem to be a false positive.

    If you were using the SSL Observatory of for detecting faked SSL certificates you don't get false positive warnings, it is only related to Certificate Patrol.


    No Trackbacks


Display comments as (Linear | Threaded)

    No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Submitted comments will be subject to moderation before being displayed.