Internet Heart Attack: OpenSSL, Not Secure HTTPS

In April 2014, many talk about ‘OpenSSL farce and Password-leaking debacle’. The media reports: “Heartbleed bug allows attackers to read the memory of the systems protected by OpenSSL! Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory (server’s memory is where the most sensitive data is stored)”. As some Iranian experts say: “This debacle (Heartbleed) is the most dangerous security flaw on the web. It’s a digital Catastrophe. On the scale of 1 to 10, this is a 12 ! It can lead to the leak of all passwords and private keys. It attacks the heart of the internet security. It’s an ‘Internet Heart Attack’, and now many give advice to people and say: ‘You should stay away from the internet entirely for a while; [that means] Don’t check your emails; Don’t login in any websites; and Don’t use any HTTPS/ SSL services!”. The OpenSSL Farce is important, because as some Iranian experts say: “OpenSSL is a free and open-source cryptographic/ security library, but two-thirds of the Web, including big companies, use OpenSSL! If you want to see [the dept of Tragedy], you should know that as the media reports: ‘there are only 11 people currently work in OpenSSL: a British cryptographer [!], 2 other British volunteers [!], and a few others’ ! (April 2014) OpenSSL is just one of many implementations of SSL protocol and security algorithms. But as many (experts & non-experts) ask: ‘Why tech giants, big companies and two-thirds of the Web should use OpenSSL?! Why OpenSSL, that has many bugs and serious problems, has become the heart of the internet security ?! Is OpenSSL a Big Brother’s security package?! Is OpenSSL a GCHQ/ NSA package?! Why we don’t have many good alternatives to OpenSSL ?! Universities, colleges and many experts can develop many alternatives to OpenSSL. But why the media reports: ‘Most universities and colleges use OpenSSL; Banks, CAs and security companies, and even the biggest tech companies like Google, Yahoo, Amazon, Paypal, and Cisco use OpenSSL’ ?!! Such questions are [very important]. But the most laughable part of [OpenSSL Farce] is what the US media says: ‘Cisco Systems, the biggest creator of security equipment announced that their products [use OpenSSL] and had been affected by the Heartbleed bug !’ ! (April 2014)”. They also add: “Mass media says: ‘Two-thirds of the Web use OpenSSL. But the actual extent of Heartbleed’s damage is unclear’, while the main question is: ‘Why OpenSSL has become the heart of the internet security?! Why most security tools -and also services such as HTTPS, SMTP, IMAP, OpenVPN etc- use OpenSSL?! Governments and all attackers can use OpenSSL’s bugs to steal the people’s passwords and private keys. The bad guys can use stolen data to create fake SSL certificates, and to launch different attacks. In fact, the bad guys can use OpenSSL’s bugs to snoop/ spy on HTTPS and all SSL connections”. In Iran, as some wise Iranians say: “we have both OpenSSL tragedy and non-OpenSSL tragedy. The Mullah regime, with the help of the UK and the US regime, launch many Orwellian attacks on SSL connections. Even according to [2]: ‘Reporters without Borders (RSF.org), The 2013 Enemies of Interne’, Mullahs launch attacks on HTTPS and SSL connections by using American tools and British devices! [2] And ‘more astonishingly, the use of Israeli surveillance devices has also been detected in the Mullah regime‘ ! [2] In fact, Islamists not only lick the ass of their Zionist IMF, but they use other Zionist tools to hurt Iran and Iranians. Arabs and Islamists are actually Zionists. In fact, Rouhanis and Islamists are Satanists. As their RSF reports: ‘Filtering and surveillance device was provided by Is-rael to Mullahs’ ! [2] Such facts are like the Iran-Contra scandal, the 2009 CIA-Zionist Coup, and the Mullah-Zionist IMF farce. Islamists and Zionists are really Satan’s agents. The so-called Great Satan (USA, UK etc) is behind Mullahs and other Satanists. Now even non-Iranians -in reports like [3]: ‘Internet Censorship in Iran: A First Look’ (Aug 2013)- talk about ‘DNS hijacking, and protocol-based throttling in Iran’ [3], and say: ‘Mullahs have the capability to conduct SSL man-in-the-middle attacks‘ ! [3] They know that the UK and the US regime gave Mullahs this Orwellian capability [2] They know that ‘In Iran, the private IP address 10.10.x.x or 10.x.x.x is a device used for censorship and filtering’ [3] They even know that we all need ‘new & next-generation anticensorship tools’ [3] But the world has closed its eyes to this important fact that the West aids Mullahs and brutal dictators, and betrays all humans. As their RSF says: ‘the Western technology allows the Mullah regime to keep Iran’s Internet under close surveillance’ ! [2] The West is behind the Mullah Great Firewall, while the world is silent. But now, the world and the Western people can see the result of their silence. Now, the West openly attacks the free internet and hurts all humans, including average Westerners”.

InternetCensorship061208.gif

In these days, some wise Iranians say: “As the history of Iran and the world is divided into two eras: ‘before 2009’ and ‘after 2009 Jewish Coup’, the history of the internet and internet security is divided into two eras: ‘before Snowden’ and ‘after Snowden’s revelations’. Most people lived in a pure fantasy world before Snowden’s revelations. Most people had many illusions about the West and the free internet. For instance, they said: ‘Mullahs and Islamists are worse than animals, but the West is different’ ! But now people can see the true face of the West, and many can understand why and how the US and the West aid Mullahs in fucking and filtering the internet in Iran. Now even non-Iranians can understand the importance of reports like [1]: ‘Mullah Web Spying Aided By Western Technology’ (Wall Street Journal (WSJ), June 2009). Now it’s clear why ‘Mullahs use spying/ filtering equipments from U.S. companies and European companies’ [1] Of course it has also become clear that our situation in Iran is like the situation in the West. Mullahs still send noise and parasite and try to slow down the filtered Internet in Iran. But the situation in Iran and the West are almost alike. In Iran, Mullahs openly perform their evil acts, and all people can see and feel the Mullah evil acts. But the West secretly performs such evil acts and more evil acts”. In Iran, as some Iranian experts say: ‘OpenSSL farce is more ridiculous. The Mullah regime itself uses OpenSSL, and their systems are not safe and secure! [This British Shit, Rouhani, and other British Mullahs] just love to hurt Iranians, and don’t care about real problems. But it’s not the whole story. According to Reporters without Borders, American Companies such as Blue Coat [2] aid Mullahs in ‘Deep Packet Inspection’ and launching attacks on HTTPS and SSL connections [2] ‘Blue Coat is a large IT company based in California, that is known for providing filtering and censorship devices for brutal dictators[2] These American pigs and the [British barbarians] sell their Orwellian tools to Mullahs, and that’s why Mullahs are able to perform SSL man-in-the-middle attacks. This Mullah ‘man-in-the-middle attack’, aka Mullah-in-the middle attack, is a new problem that, like many other problems in Iran, has been created by the US, the UK and [the EU]”. They also add: “In Iran and the West, SSL connections are not secure from snooping in transit. Now even non-Iranians say: ‘Mullahs use American tools, which are designed to intercept data meant to be sent to secure (https) sites’ ! [2] But it’s just part of the tragedy. In Iran, all anti-filtering tools, all VPNs and all anti-censorship tools use OpenSSL. They all [suffer from] OpenSSL’s bugs, and Mullahs can use fake certificates and other Orwellian tricks to control them. Now, Mullahs launch attacks on all HTTPS / SSL connections, including VPN connections. In March and April 2014, the anti-censorship tools in Iran were under new attacks. For instance, UltraSurf -that many Iranians used it- had become a joke. For about 10 days, UltraSurf was directly connected to the Mullah servers, which are Orwellian surveillance machines with 10.10.x.x IP address! Iranians suffer from global problems, too. In these months, Email providers just said and say: ‘We update our SSL certificates’ or ‘SSL certificates updated again (and again)’ ! So, finding fake certificates was hard. It was a global problem. In Iran, Mullahs tried to use ‘OpenSSL debacle’ to create fake digital certificates, and to steal people’s passwords. It was a global problem, too. But Iranians already knew that many things -from emails and phone calls to passwords- are not safe and secure, because they are under the Mullah spying attacks. As many Iranians said and say: ‘We, Iranians, have nothing to hide. Mullahs and Islamists are spies and stooges of Iran’s enemies, and should be afraid of hurting Iranians, violating basic rights, betraying Iran, and helping Iran’s enemies’. But it’s so ridiculous that the West and Mullahs help each other, betray Iranians and violate basic rights. It’s so shameful that the West aids Mullahs in launching internet attacks, controlling anti-censorship tools, and violating basic rights. Without the aid of the UK and the US regime Mullahs are not able to launch Orwellian attacks on SSL connections”. We have already written about the tragedy of the Internet in Iran, and repeatedly warned about the global silence (check Archive). But as some wise Iranians say: “Now the Western-made problems in Iran, aka Iranian problems, have become global problems. In 2009, their own WSJ said: ‘the Islamic regime, with the assistance of Western companies, has one of the world’s most sophisticated mechanisms for controlling and censoring the Internet, allowing it to examine the content of online communications on a massive scale’ [1] But now it’s clear that the West just tests its Orwellian technologies -like Deep Packet Inspection (DPI)- in Iran, and after some years, they will use such Orwellian tools in the West. ‘In Iran, the Internet having slowed to less than a tenth of normal speeds. DPI delays the transmission of online data’ [1] But as many Iranians say to Westerners, our today is your future. The Mullah Great Firewall was and is just the predecessor of the Great Firewall in the UK and the EU. The Mullah regime is a stupid puppet of the West. Mullahs use Cisco firewalls and other Western tools (from OpenSSL to Great Firewall) to protect their Mullah system!, while Cisco and other Western companies work with NSA and Big Brother’s agencies. In fact, Mullahs use NSA tools and IMF programs, and IMF, NSA and UK control the Mullah system!”.

40hj.jpg

In April 2014, as some wise Iranians say: “the US media reports: ‘NSA and GCHQ already knew OpenSSL’s bugs, but didn’t reveal such exploits to the public’ ! But now even non-Iranians say: ‘NSA and GCHQ create security holes and use them. You cannot ask them: Is your tool safe to use? Does it contain backdoors? They’re not going to tell you [!] The US and UK’s attacks on the internet must be made public’. But most of the Western experts say nothing about real problems and real solutions […] OpenSSL has many problems. You expect that only ordinary people use OpenSSL, because it’s free. But the main questions is: Why big companies like Yahoo, Amazon, Adobe, PayPal, Google etc use OpenSSL?! Why many CAs, banks, security companies, and two-thirds of the Web should use OpenSSL ?!!”. They also add: “Tor project uses OpenSSL. But now, instead of saying: Don’t use Tor for a while, or ‘If you need anonymity or privacy on the Internet, you should stay away from (Tor and) OpenSSL’. The stupid Tor project just says: ‘If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for a few days’ ! (April 2014) Tor and OpenSSL are the same shits. The Tor Project, aka the Tor Farce, can show you the main problems. The Tor guys get money from the US regime, but claim that they fight against the US regime’s evil acts! Before Snowden many ignored such facts, but now the meaning of the Tor- OpenSSL farce is clear. Instead of providing help, they just worsen problems. They are worse than big companies. Most people don’t trust big companies. In 2014, when the media talked about ‘Apple’s embarrassingly simple ‘goto fail’ bug in OS X’ or ‘Apple users (iPhone & iPad users etc) at risk of SSL man-in-the-middle attacks’ !, many didn’t trust ‘Apple’ and already knew that ‘they can capture or modify your data in sessions protected by SSL/TLS’. In 2014, ‘NIST stated that Apple’s implementation of SSL/TLS does not check the digital signatures, which allows man-in-the-middle (MITM) attacks to spoof SSL servers’. But many people said: ‘Apple’s goto fail disaster was created by the NSA and/ or by one of the richest companies on Earth !’ ! (2014) Normal people know big companies, but OpenSSL guys just insult your intelligence and say: ‘We don’t work on OpenSSL for money’ !! (April 2014) As our people say: Yah, they work for the God and the Big Brother’ ! They are like Mullahs and Islamists, who love to aid Satan, to do evil acts, to steal your money, and to say: We don’t work for money! We work for god !”. In this year (2014), many things are ridiculous, but informative. As some Iranian experts say: ‘In 2014, the media talks talks about ‘damage to Yahoo’s brand’ ! In Feb 2014, the media reported: ‘Yahoo says usernames and passwords of its email users have been stolen! But many Yahoo email users don’t even know about such facts’ ! [Unfortunately] most people are not aware of important facts. For instance, they don’t know that HTTPS is not safe and secure. HTTPS should provide a true end-to-end security, but as experts say: ‘instead of connecting to your destination, you can connect to Big Brother proxies! In Iran, there is no true end-to-end security, and even when you use anti-filtering tools, you can connect to Mullah machines’ ! But it’s a global problem. As many experts say: ‘there is no safe and secure end-to-end HTTPS. And there’s nothing more dangerous in this context than thinking you’re end-to-end secure when you’re really not‘. Now many [talk about] ‘HTTPS 2.0’, and this fact that NSA can be behind the HTTPS 2 proposal. As they say: ‘[bad guys] ask you to ‘Trust Big Brother, your friendly man-in-the-middle! They [praise] the concept of ‘trusted proxies’, Big Brother’s proxies, and use a stupid ‘Trust us’ concept to fool people. They say: ‘Trust us. Trust Big Brother! But the concept of ‘trusted proxies’ is inherently
untrustworthy, especially in this post-Snowden era”. As the wise Iranians say: “It’s good that most people are changing their views. Now the concept of ‘Internet security’ or ‘computer security’ should change. Now all experts should ask themselves: We actually work for what and for whom? If you only work for money, and help bad guys, you are definitely a stupid whore and a bad guy. But if you are a good guy or a good/ wise expert, you must pay more attention to Orwellian technologies and what Big Brothers do or want. In the past, many said: ‘we are concerned about the role and practices of Certificate Authorities (CAs)’. But now it’s clear that CAs and the so-called trusted parties can work with NSA, GCHQ and Big Brothers. In the past, many said: ‘the security of HTTPS is only as strong as the practices of the untrustworthy CAs’ or ‘HTTPS security level is dependent on the security features/capabilities of [Big Brothers] !’ But now it’s clear that Big Brother has visibility to all personal and private information, and SSL connections are not secure from snooping in transit. All good and wise experts should work on new ideas and new protocols, which are independent of Authorities, governments, Big Brothers and any ‘trusted parties’. We [not only] need many alternatives to tools and packages like Tor and OpenSSL, but we need serious alternatives to the current Orwellian technologies and Orwellian ideas/ concepts”. Think about it. We should write more about these issues later.

Comments are closed.

%d bloggers like this: