Hi, just wondering if users should have any concern and if/when Dopus will be patched up (if needed).
Does it use OpenSSL for anything...? Just wondering.
As far as i know, Opus doesn't use any kind of SSL. The feature has been requested, though, to support TLS.
It could be affected in theory, and an update is coming with new OpenSSL DLLs for both Opus 10 and Opus 11.
To be affected, someone would have to get you to connect to their FTPS server using SSL/TLS, and then may be able to read random data from the dopus.exe process memory.
For people who never use FTPS, there is no known risk, since OpenSSL isn't used for anything else in Opus. In particular, SFTP does not use OpenSSL and is not affected. OpenSSL is used for FTPS, but not for SFTP.
There is also no known risk as long as the FTPS servers and networks you're using have not been compromised (e.g. DNS poisoning), since the attack would have to come from a server you connect to.
If you did connect to a compromised/malicious FTPS server, only the dopus.exe memory could be read, one random 64KB block at a time, not memory from any other process on the machine.
So, if you're not sure about the servers or networks you use, you might want to avoid using FTPS until the update is out, to be on the safe side. Otherwise, there shouldn't be any cause for concern.
Those updates went up this morning.
Thanks leo.
[quote="leo"]It could be affected in theory, and an update is coming with new OpenSSL DLLs for both Opus 10 and Opus 11.
To be affected, someone would have to get you to connect to their FTPS server using SSL/TLS, and then may be able to read random data from the dopus.exe process memory.
For people who never use FTPS, there is no known risk, since OpenSSL isn't used for anything else in Opus. In particular, SFTP does not use OpenSSL and is not affected. OpenSSL is used for FTPS, but not for SFTP.
There is also no known risk as long as the FTPS servers and networks you're using have not been compromised (e.g. DNS poisoning), since the attack would have to come from a server you connect to.
If you did connect to a compromised/malicious FTPS server, only the dopus.exe memory could be read, one random 64KB block at a time, not memory from any other process on the machine.
So, if you're not sure about the servers or networks you use, you might want to avoid using FTPS until the update is out, to be on the safe side. Otherwise, there shouldn't be any cause for concern.[/quote]
You misunderstand and play down the severity of this flaw.
Servers are compromised all the time on the internet. The most basic principal of internet security and OpenSSL is that you can't trust the server or client not to be malicious. In fact, you can't even be sure that you are talking to the server you expected to talk to, so you must verify it first. DNS poisoning is not the only way servers can be compromised. To say there is "no known risk as long as he FTPS servers and networks you're using have not been compromised" shows an disturbing lack of understand as to what OpenSSL does and how many common types of attack work on the internet.
Although the contents of the 64kb block being read is somewhat random it has been demonstrated that it can be used to recover information useful to an attacker, such as private keys. It was initially thought that this was unlikely, on the same flawed logic that you seem to be using. Within hours of this being stated it was proven to be incorrect, with many people being able to gather sensitive data. The attack can be repeated over and over, with no warning presented to the user or way for current anti-virus software to detect it. Such attacks have been spotted in the wild.
It is extremely serious and it is good that you fixed it. Anyone who has used FTPS at any time should reset their passwords and consider replacing any private keys that were used. Any files that were opened by or interacted with by DOpus should be considered potentially compromised.
Also see this thread: Is DOPUS affected by the Heartbleed bug/NSA added feature?
You need to keep auto-updates on despite what Leo said there, otherwise you would still be vulnerable to this popular attack.
What exactly is your point? It wasn't our bug, and we released an updated library very quickly. What more do you expect?
I'm happy that you fixed the bug. Thanks for doing that. I was merely pointing out that Leo's assessment of the severity of this problem is a vast underestimation. Leo was arguing, in the other thread that is now deleted, that it wasn't a major problem and thus not worthy of notifying people of by email, after previously advising people who didn't want the Opus 11 advertising messages every 60 days to turn off update checks.
So in answer to your question I expect update notices for critical security fixes, without spam messages. That's all, not much to ask for. It would be nice if we could discuss this calmly, but it seems that you have reached the point where you simply deleted the thread. Can you explain, please, if a user doesn't want the Opus 11 upgrade messages but does want to be notified of security issues, what they should do?
For Heartbleed to affect a client, the client has to actively connect to a compromised or malicious server, or something impersonating/proxying that server via a compromised network.
So I do not see how you would be at risk when connecting to a server you trusted over networks which were not compromised.
The client side does not use a private key in this scenario (in the sense of SSL certificates being stolen, which is one of the major issues with the OpenSSL bug). But, yes, there may be something like an FTP site password in the dopus.exe memory which would be of interest to an attacker. (Probably the password for the site they have already compromised.)
If someone wants to attack you, and if they have compromised the server you choose to connect to and/or the networks you use to connect, and if you use FTPS, then the old version of Opus/OpenSSL could have allowed someone to read information out of the dopus.exe address space. Those are a lot of ifs but, yes, it's not zero risk, so we put out a fix with the new version of OpenSSL, including for people who last paid for Opus in 2011.
The opportunity to do that ended when you started saying we were deceitful for having a view on the severity of an issue which differed to your own.
I don't trust many servers I connect to with SFTP. I don't control them, they might be compromised. That's the way it is on the internet in afraid. There are lots of articles on this subject online.
I apologise if you were offended.
Can we try to move forward here? There clearly needs to be a mechanism for notifying people of updates, particularly security ones. On the other hand the periodic messages about Opus 11 are annoying and unwanted. Can we find a solution?
The promise was that we would send an email, rather than rely on the normal notification mechanisms (update checker, main website, forum, news blog and Twitter feed), if there was a serious security update which needed urgent attention.
While Heartbleed is serious in the wider context, we did not consider it to be very serious in the context of Opus, for the reasons I've given already and will give again.
There is no evidence anyone is trying to attack Opus via the flaw. FTPS has to be used explicitly (so it is not something an attacker can make happen without the user doing specific things). Few people use FTPS. FTP and SFTP are not affected. It requires a compromised server or network. The scope of what could be obtained from the dopus.exe memory space is such that an attacker would have to get lucky to find anything useful beyond the ability to access the server they've probably already compromised in order to mount an attack on the client. (They may get lucky, but we're talking about when the update is discovered here, not whether the update exists at all. The risk is already extremely low; the amount of extra risk if the update isn't discovered immediately is virtually none in this case.)
We decided it was worth putting out an update, and got one out quickly.
Since the issue was so much in the news, anyone who felt at risk was already keeping an eye out for updates to FTPS software. People could find the update via the update checker, the main website, the forum, the news blog and the Twitter feed.
We considered sending an email (it's not like I forgot about the discussion we had here days earlier!) but decided it was not worth sending out thousands of emails to tell everyone who uses Opus about this update.
That was and is our reasoning. You may disagree. We may be wrong. But that's the call we made, in good faith, and we decided it did not make sense to send out thousands of emails. If you want to point me to someone who was harmed by this decision I'll admit we made the wrong call, but even then we made the call in good faith after weighing up the likelihood it would happen.
We almost did not do the update for Opus 10 at all.
FYI, it was me that pushed for us to update Opus 10 even though it is no longer the current version and people using it have already had ~3 years of free updates. I can't see myself pushing for that again after this, even if another once-in-a-lifetime event like Heartbleed comes up. The rest of the team want to focus 100% on Opus 11 and rewarding the people who are still supporting its development & putting food on our tables. So you can turn off the update checker now. We won't be doing any more Opus 10 updates. And I won't be making any more promises in case anyone interprets what I've said as something different to what I meant and calls me a liar.
And we had already put out an earlier Opus 10 update in response to your complaints about the update checker, such that it would only appear six times a year, so you could have left the update checker turned on.
I've repeated myself enough now so I am locking the thread.