On Apr 30, 2014 9:25 PM, "Doug Barton" <do...@dougbarton.us> wrote:
[snip] > ... your whole premise seems to be invalid as there is no clear evidence at this time (that I'm aware of, and I've been paying attention) that any actual secret keys have been compromised by Heartbleed. It was listed as a potential risk when the vulnerability was first announced, but several groups have done research on that specific point and have found that it would be sufficiently difficult, if not actually impossible; to render this particular risk as negligible at best. Cloudflare did a challenge where a Heartbleed-vulnerable system was exposed to the internet with a challenge to recover the private key. They thought, based on internal testing, it would be quite difficult if not impossible. The key was found within hours: http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge Interestingly, Heartbleed is being used by security researchers to access online forums used by bad guys who, for whatever reason, have not patched their servers: http://www.bbc.com/news/technology-27203766 -- it is not clear if the researchers are getting private keys, but it certainly appears to be possible. In regards to certs, I like the principles behind CAcert, but using their certs on public-facing systems can be problematic due to their root not being included in browsers. For practical reasons, using a CA included in browsers is often a better choice. I use and usually recommend StartSSL but if that's not an option for whatever reason, several CAs offer free-of-charge certs for FOSS projects. Two examples that spring to mind are GoDaddy [1] and GlobalSign [2]. For paid certs, it can often be (considerably) cheaper to buy through a reseller: for example, a PositiveSSL cert from Comodo costs $49/year, but the same cert purchased via NameCheap is only $9/year. Gandi.net, a French registrar, also offers certs chained to Comodo at a reasonable price, though they're slightly more expensive than US-based NameCheap. Cheers! -Pete [1] http://www.godaddy.com/ssl/ssl-open-source.aspx [2] https://www.globalsign.com/ssl/ssl-open-source/
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
