What Perfect Forward Secrecy means

Let’s say you had an encrypted conversation with Bob yesterday. Today Bob accidentally posts his secret key on the internet. You still want your conversation to be private, right? So what can you do? You can use a cryptographic protocol with perfect forward secrecy (PFS). That will protect you against similar blunders by your conversation partners and even your own blunders of this type. Sounds pretty desirable, right?

Since the Snowden leaks, we know for sure that a variety of state run intelligence services record your communication – some of them with the explicit intent to decrypt it later when possible. And with many protocols you just need to break one key to be able to decipher many messages. PFS also protects against that: you usually need to break every single message individually.

So both blunder, as well as outright malice, pose a sizeable threat, which therefore we need to consider when designing our threat models.

Continue reading

commons-fileupload 1.3.3 resolves deserialisation vulnerability CVE-2016-1000031

CVE-2016-1000031 is a vulnerabilty in the extremely widely used Apache Commons library commons-fileupload – you might not even know you’re having it on your class path. It has a very nasty Remote Code Execution vulnerability with easy to use exploits publicly available up to version 1.3.2. What makes it even worse is that you do not even need to use the library – you only need to have it on your class path and to deserialise some data. The data is the attack vector. You can find a good in detail explanation of the vulnerability here.

It did take a while but with version 1.3.3 this vulnerability is finally closed (by default).

There is some stuff that you should know about the fix though:

Continue reading