If OpenSSL can get hacked, ANYBODY can.
‘They’ defaced openssl.org using a vulnerability… not in the OS or web code… but by going through the hypervisor. The website may have been administered by some of the most paranoid people on the planet, but it was hosted on a virtual server at an ordinary hosting provider.
That virtual server was the “weakest link.”
So much for Qubes, eh? Someone should implement it in hardware — start with a backpack loaded with Raspberry Pis, some crazy-ass KVM logic…
The US continues its slide into a police state — the FBI is no longer a law enforcement agency, but actually officially now the American secret police.
“On Sun 29th December 2013 at around 1am GMT the home page of http://www.openssl.org was defaced. We restored the home page just after 3am GMT and started forensics, investigation, and recovery.
The OpenSSL server is a virtual server which shares a hypervisor with other customers of the same ISP. Our investigation found that the attack was made through insecure passwords at the hosting provider, leading to control of the hypervisor management console, which then was used to manipulate our virtual server.
The source repositories were audited and they were not affected.
Other than the modification to the index.html page no changes to the website were made. No vulnerability in the OS or OpenSSL applications was used to perform this defacement.”