MySQL 5.5 and 5.6 Vulnerability

Another day, another security vulnerability.

Today Oracle announced security vulnerabilities and associated software patches affecting MySQL 5.5 and 5.6:

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixMSQL

To address these vulnerabilities, your database instances will need to be upgraded to either MySQL 5.5.40 or 5.6.21.

If you’re on a hosted service such as RDS, expect to be upgraded during your next maintenance window. More info can be found on Amazon’s security site.

SSL v3.0 POODLE Vulnerability

A new SSL bug was announced today – CVE-2014-3566 (SSL v3.0 POODLE vulnerability).

This vulnerability affects servers still running SSL 3.0. It centers on cipher block chaining (CBC) encryption implementation and allow attackers with a Man-in-the-Middle (MITM) position to derive the contents of a secure payload based on responses received from requests sent from a compromised browser to a legitimate server.

One way to remedy this issue is to disable SSL 3.0 support or disable SSL 3.0 CBC-mode ciphers on your servers, but this presents significant compatibility problems with older browsers (specifically WindowsXP users who browse using Internet Explorer 6). Instructions on how to disable it on NGINX can be found here.

The other option (recommended by Google among others) is to make use of TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

Unfortunately TLS_FALLBACK_SCSV is currently a draft extension to SSL/TLS and has not yet been accepted into OpenSSL or made it’s way into major browsers other than Chrome.

You can use GeoTrust’s SSL Tool Box to detect if SSL 3.0 is enabled on a web server.

HipChat 3.0

HipChat rolled out a huge update to their Mac client today (other platforms will be following soon) that features a number of great changes including a brand new, lightweight UI and so far, I’m really digging it.

I was a big fan of the previous UI over competitors such as Slack and this update makes using HipChat even better.

Some other changes in this update include emoticon autocomplete, unread message counts and new presence icons. You can read all about it on their blog.

Heartbleed Bug

You’ve most likely heard about the Heartbleed bug by now. If not, patch your servers and then read up on it at heartbleed.com.

Amazon, RedHat, UbuntuHeroku and the majority of software and infrastructure providers have issued guidance on the issue so a quick Google search should provide a link.

You can test your servers over at http://filippo.io/Heartbleed/.

In addition to patching, some good additional steps to take are as follows:

  • Invalidated all sessions previous to the patch
  • Reissue your private key and SSL certificates
  • Reset the passwords and keys used to communicate to databases and other infrastructure

Be sure to check with your software / infrastructure providers for extra steps they’re requiring / suggesting.

HipChat vs Slack – Part 2

UPDATE – If you’re interested in the HipChat Server beta, you can apply here.

UPDATE 2 – HipChat is now free for unlimited users. Read more here.


Both HipChat and Slack continue to evolve their product offerings with the most notable improvement being HipChat’s recent beta release of video chat and screen sharing. Here’s a quick rundown of the two offerings with a few important distinctions highlighted.

HipChat Slack
Cost
Pricing $0 per user (unlimited users, no limitations)$2 per user (HipChat Plus which includes video calling and unlimited, searchable message history) $0 per user (unlimited users, but limited to searching latest 10k messages, 5 integrations, 5GB file storage)$8 per user
Contract No No
Features
Persistent Rooms Yes Yes
Private Rooms Yes Yes
1-to-1 Chat Yes Yes
Video Chat Yes No
Screen Sharing Yes No
File Sharing Yes Yes
Search Yes (launches browser) Yes (native)
Multiple Accounts No Yes
Google Authentication No Coming Soon
Guest Access Yes Coming Soon
SSL Yes Yes
UI Language English Only English Only
Self-hosted Option In Beta No
Extensibility
API Yes Yes
Integrations Lots Lots
Integration Limit No Yes (maximum of 5 on free plan)
Platforms
Mac, Windows, Linux, Android, iOS, Browser Mac, Android, iOS, Browser

SHA-1 vs. SHA-2 SSL Certificates

If you’re thinking about moving to a SHA-2 hashing algorithm for your SSL certificate, remember that it will break in IE6 and all versions of IE on Windows XP prior to SP3. So if you’re supporting users on older machines / browsers, you’ll need to stick with SHA-1.

More information is available here.