Maybe I'm just a cynic, but do we really need cute exploit names for something that only affects a quite small number of companies as they must be using an F5 BIG-IP device?
F5 Big-IP devices are the market leader in commercial load balancing appliances. I think you rather underestimate the impact. I'm not making any judgement on the branding, there are pros and cons to this approach, but it's certainly something that's going to cause a lot of people pain.
In the Alexa top 1M there were less than 1000 sites.
And sites smaller than that top 1M are even less likely to be using it.
I don't find that a very large impact personally. F5 knows who their customers are and can easily contact them.
We don't need a big media panic blitz and dedicated domain name for this.
Fact of the matter is SSL accelerators just aren't all that popular now, SSL got cheaper with session resumption and newer ciphers, CPUs got fast and accelerated instructions for AES and all but a few people just use CDNs when their needs go beyond that.
These days, the F5 is valued more for it's intelligent load balancing than for the SSL offload. The SSL termination is there more for being able to view the request details / payload (for load balancing, app level routing, credit card tokenization, etc) than to specifically offload the crypto work. It's fairly common, in fact, for the downstream services to also be SSL.
Some people understandably want to do things on-premise, to avoid shipping unnecessary details to companies like Amazon. But for the most part a reverse proxy using varnish or nginx will do the job here. Heck, I think even CloudFlare uses modified nginx.
Cute exploit names AND custom branding/logos, no less!
It's 2017, man. Every little last thing can be bled dry for some sweet, sweet Internet attention. It seems to be one of the most valuable currencies of a new generation of people.
It's also easy to remember "F5 ssl ticket vuln" and that conveys more important information. Like the fact only F5 devices are affected so relatively few have to worry about it.
I think there is definitely a downside because people desensitize to it. When Heartbleed came out it was like holy crap it even has a name it is so bad. I do not feel like that's the case anymore as people have already started to desensitize against the domain-per-exploit
who cares? does a cute exploit name harm anything? sounds like you're criticizing someone for how they spend their time, and it can get pretty existential pretty fast if you start doing that.
That's what I wondered too. Anecdotally, our company recently replaced Aventail with F5. Prior to that, I had never heard of them (not that it adds any value). I hope we're patched up.
Probably not, but this is just as much an engineering resume piece for Filippo as it is a disclosure, and that's okay. It's a way of being compensated for the time and energy that went into discovering and disclosing it appropriately.
I think people are focusing too much on the name/branding because they don't have an interest on the troubleshooting that led to this discovery, which I found very interesting as I can totally relate to that sort of work.
> It is similar in spirit and implications to the well known Heartbleed vulnerability. It is different in that it exposes 31 bytes at a time instead of 64k, requiring more rounds to carry out an attack, and in that it affects the proprietary F5 TLS stack, not OpenSSL.
It shouldn't be overlooked that to be at risk to this vulnerability requires a non-default option to be enabled. Said another way, by default the option that would put you at risk is disabled, only if you have manually enabled it would you be at risk.
