If we have high availability connectivity for servers, I feel like corporations should also consider applying the same principles for inter-personal communication. A distributed and encrypted protocol with a similar feature set to Slack would come handy. Any suggestions?

there's currently no post on openssl.org but i expect them to publish one soon. Also, now with all the OpenSSL sh*tstorm this year, I really wonder if LibreSSL is vulnerable to this security problem...

LibreSSL has removed SSL3, so I'd guess it doesn't do "SSL3_AL_WARNING"

And Firefox 52 is proposed to default to TLS 1.3 for safety and performance reasons: https://groups.google.com/forum/#!topic/mozilla.dev.platform...

I wish it was still possible to override these per profile. Last time I tried, the knobs were gone and had no effect whatsoever to enable safer defaults. I used to be able to force a minimum TLS version and enable only select few ciphers.

Still possible:

security.tls.version.min security.tls.version.max

security.ssl3.<cipher_suite>

Thanks, you're right, found and disabled all but two specs and tuned minimum to 3 which is TLS1.2. Will put those in the locked config file, so that they're read-only at runtime.

Since in OpenSSL TLS is affected as well, I wouldn't be so sure.

I vaguely remember something around a potential fix but I lost track of it. The strange thing is that this appeared yesterday. I haven't had time to actually test this, am just looking to see what the community knows, whether someone could confirm this.

Someone else has already linked to a fix that the Linux kernel developers applied, which tells us that it's a confirmed problem (at least in theory): https://git.zx2c4.com/linux/commit/?id=75ff39ccc1bd5d3c455b6...

I've found this on isssource and am surprised that it has not spread like wildfire. If the claims are true then this is an issue that should be taken seriously. Posting here for discussion.

So far it looks pretty real. CVE exists[0], been picked up by RedHat[1]. It's possible that they're wrong - I haven't personally verified it - but at this point it'd be very surprising. Apart from anything else, these are serious researchers with real track records.

I'm proceeding on the assumption that it's real, and working towards ensuring everything (with a kernel >= 3.6 and < 4.7) is patched. I'd humbly suggest it might be a good idea for others to do so also.

0: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5696 1: https://access.redhat.com/security/cve/cve-2016-5696

The vulnerability claim is very interesting.

The ISS Source article itself is garbage.

They do not explain the origin of the attack, instead simply mention "a subtle flaw (in the form of 'side channels')" [sic]. They do not explain why their "temporary patch" [sic] of raising the challenge ack limit makes the vuln "practically impossible to exploit".

Hell, they do not even link to the original paper.

The ISS Source article appears to be a copy of the UCR press release: https://ucrtoday.ucr.edu/39030

I skimmed over the paper and that is pretty scary stuff. Just being able to infer that two arbitrary hosts are communicating with each other is bad enough but this seems to allow for arbitrary data injection and connection reset attacks.

This really is a more complex question then it may seem. One of the reasons I haven't yet upgraded my production system is because I want to be able to keep my system up-to-date. Now, having to manually patch the FreeBSD source tree once a new upgrade lands is a bit of a pain. The point of the article is really about exploring where we are and where the FreeBSD community is headed.

I know this is just nitpicking but you may want to use capital V instead: `ssh -V`.

And indeed the SSH command originates from OpenBSD and uses LibreSSL 2.1.8.

Thanks :) I was afk and I hoped someone would correct me.

ha, funnily just one day before code freeze of freebsd 11 :) nevertheless it's great that freebsd is getting more attention these days.

I've been a Rails developer for 10 years now and I have to say it is still my favourite tool of choice (yes even in 2016). There are other interesting tools and frameworks out there (I'd love to put my hands on Phoenix and Elixir if I had the time) but for now I have to be honest: When I start a new client project I have to consider a few things:

* Using a well-known framework is favourable over new shiny toys in a commercial system

* An ecosystem that has good 'defaults' is essential. A single web framework won't do everything for you. You need stuff around that for testing, deployments, etc.

For mainly the reasons above Rails is still my primary tool of choice. Yes, it has pinpoints but the reasons above far outweigh the new and shiny.

if you can make this work in a way that it's capable of reinstalling a precise snapshot (like using a Gemfile.lock in Ruby's Bundler world) and keep it stable then I once again will have faith in JS package management.

You know npm shrinkwrap does exactly this, right?

my thoughts exactly. whilst i don't care about Salesforce's CRM, i wouldn't want MS to put their hands on heroku. Once MS bought one of my favourite companies (Rareware, now Rare as part of MS Game Studios), effectively they killed creativity. I'm not saying that MS is necessarily evil, all I'm saying is that I've seen this once and I have been really disappointed.

Interestingly one could say the same about salesforce.com. What positive things have they contributed to Heroku, beyond hoping their developer community would start making apps for salesforce.com overnight (which they didn't).

And do many people actually use Heroku for anything serious? Once they hit a certain size it seems Heroku quickly becomes uneconomic.

Heroku had its time in the sun but rapidly that day is coming to an end...