OpenSSL.org hacked?

I tend not to click on links advertising pages that are hacked. You know, not that many zero days on Chrome, but still seems like a risky click, as they say.

Yet another example of why to both sign release artifacts AND verify them is important.<p>Also, if you&#x27;re running the public website for a security lib or core FOSS package, expect more attacks by kiddies trying to build rep... so very conservative tech choices (mostly static website served from a read-only fs) and defensive practices are de rigueur.

I said this in a lower thread but I figured it&#x27;s better up here.<p>Why is there not a standard for links of this type in browsers. Eg &lt;a href=&quot;url&quot; sigurl=&quot;url to sig&quot; sigalgo=&quot;algo to calculate signature&quot;&gt;OpenSSL&lt;&#x2F;a&gt;<p>That&#x27;s a simple way to go but I really think it&#x27;s as generally insecure as reading a signature form a url that is advertised by a website. It&#x27;s also why I rarely bother.<p>But if browsers were good about this then it could be done in a much better way which is to sign the application with a real peer verifiable signing method. Such as the SSL cert that covers the site behind the open source project .<p>now this only works for projects that have SSL certs. Another method would be to have a clearing house that can do 1-1 with github et al and a re cert, like a oss cert organization. A final good way would be to use the beauty of git and use the source checksums and a repeatable build process (which is fricking hard) and come up with a way to give a signature for oss applications based on a git commit and check that back to the public git repository.<p>really I think knwon public keys for oss projects and branches would be the real answer. And the security gating for newbs would be like windows and linux which check the public signature of the application before they run them from the web and make the end user feel safe instead of doing nothing.<p>Browsers have a good share in this responsibility as well. Standard domain security should work well here as well. Better than what we have.<p>I leave this to more entreprenurial minds to make this work and I&#x27;d love some real telegraph style sinkers to point out the flaws. This is must me talking after a belated xmas dinner. but I think I&#x27;m kind of on course.

What is a good reason for openssl.org not to utilize HSTS[1]?<p><pre><code> $ curl -I https:&#x2F;&#x2F;www.openssl.org&#x2F; HTTP&#x2F;1.1 200 OK Date: Sun, 29 Dec 2013 03:57:54 GMT Server: Apache&#x2F;2.2.22 (Ubuntu) Accept-Ranges: bytes Vary: Accept-Encoding Content-Length: 15686 Content-Type: text&#x2F;html </code></pre> [1]: <a href="https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;HTTP_Strict_Transport_Security</a>

For when the page is fixed, it currently says:<p>TurkGuvenligiTurkSec Was Here @turkguvenligi + we love openssl _

Posted on Twitter an hour ago: <a href="https://twitter.com/Turkguvenligi/status/417099879463129089" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;Turkguvenligi&#x2F;status&#x2F;417099879463129089</a><p>&quot;openssl.org&#x2F; owned ;) <a href="http://zone-h.org/mirror/id/21425720" rel="nofollow">http:&#x2F;&#x2F;zone-h.org&#x2F;mirror&#x2F;id&#x2F;21425720</a> …&quot;

Does anyone have any details about how this was done? Was it a compromised admin account, a local root exploit, social engineering, etc? I&#x27;m eagerly awaiting the post-mortem.

Forgive me for the ignorance but why is this significant if at all? Honestly curious, not being facetious.

The fact that the OpenSSL maintainers haven&#x27;t communicated about this issue yet make me feel very uncomfortable.

Other pages are still up (although I haven&#x27;t checked that they&#x27;re unmodified) - it does appear the attacker didn&#x27;t bother to bring anything but the front page down.

Zone-H Mirror &gt; <a href="http://www.zone-h.org/mirror/id/21425720" rel="nofollow">http:&#x2F;&#x2F;www.zone-h.org&#x2F;mirror&#x2F;id&#x2F;21425720</a>

Their security certificate still appears valid.

Who is in the favicon?

they&#x27;re back...

Is this the site that offered you free SSL certs?