On 09/04/14 14:17, Sam Gleske wrote: > On Tue, Apr 8, 2014 at 11:01 PM, Felipe Vieira <fmv1...@gmail.com > <mailto:fmv1...@gmail.com>> wrote: > > Dear GNUPG community, > I think a lot of unexperienced users would like to know more about > the Heartbleed problem found on some of the openssl versions. I > have two broad questions and two specific questions: > 1) Which type of clients have been compromised (consider an > ordinary user)? > 2) Which common applications use openssl and are a potential target? > > 2) Are firefox users compromised? > 3) Are RetroShare users compromised? > Thanks in advance. > > > For the most part it is service providers who are affected by the > bug. There's a handy website to verbosely explain heartbleed. > > http://heartbleed.com/ > > Affected services include HTTP, email servers (SMTP, POP and IMAP > protocols), chat servers (XMPP protocol), virtual private networks > (SSL VPNs), databases (e.g. mysql), and pretty much any service that > uses openssl TSL/SSL to secure transport of services if they're > recently patched. > > Security notices for popular server distros... > RHEL - https://access.redhat.com/site/solutions/781793 > Ubuntu - http://www.ubuntu.com/usn/usn-2165-1/ > > CLIENT > > There's not much you can do at this point. Update your system > packages and that's about it. > > SERVICE PROVIDER > Essentially you want to take the following steps if you're service > provider. > > 1. Test for the vulnerability - http://pastebin.com/WmxzjkXJ it is > also prudent to search for the affected package versions across all > services. > 2. If vulnerable patch the OpenSSL version of public front end > services first. Patch backend services after the front end is secure. > 3. Reissue SSL private keys and certificates. Since the leak exposes > the private key it is no longer pristine. > > For the remaining more thorough steps of what to do see the > heartbleed.org <http://heartbleed.org> website which has a nice set of > instructions. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users It is imperative you revoke old keys! Not just reissue!
Regards, Tristan -- Tristan Santore BSc MBCS TS4523-RIPE Network and Infrastructure Operations InterNexusConnect Mobile +44-78-55069812 tristan.sant...@internexusconnect.net Former Thawte Notary (Please note: Thawte has closed its WoT programme down, and I am therefore no longer able to accredit trust) For Fedora related issues, please email me at: tsant...@fedoraproject.org
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
