Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

2014-04-11 Thread David Lang
On Fri, 11 Apr 2014, Phil Pennock wrote: On 2014-04-11 at 21:19 +0100, Hazel wrote: http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html "The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites se

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

2014-04-11 Thread Phil Pennock
On 2014-04-11 at 21:19 +0100, Hazel wrote: > http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html > > "The U.S. National Security Agency knew for at least two years about a flaw > in the way that many websites send sensitive information, now dubbed

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

2014-04-11 Thread Šarūnas Burdulis
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/11/2014 04:19 PM, Hazel wrote: > > On 7 Apr 2014 21:42, "Phil Pennock" > wrote: >> >> If you're running OpenSSL 1.0.1 in any Internet-facing services, >> then you'll want to: >> >> (1) Read the advisories (2) D

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

2014-04-11 Thread Hazel
On 7 Apr 2014 21:42, "Phil Pennock" wrote: > > If you're running OpenSSL 1.0.1 in any Internet-facing services, then > you'll want to: > > (1) Read the advisories > (2) Deploy emergency updates (either 1.0.1g or with heartbeats disabled) > (3) Figure out if you want to do key/cert rotation on a

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

2014-04-11 Thread Jeremy Page
"A million regular users can help to make a program more reliable (due to bug reports), but they won't make it more secure. (Except to the extent that those million users attract more attackers.) " I agree with this if "more secure" means less likely to ever have a vulnerability, but not if it is m

Re: [lopsa-tech] OpenSSL "heartbleed" vulnerability

2014-04-11 Thread Marc Fournier
Excerpts from Brandon Allbery's message of 2014-04-10 21:24:15 +0200: > On Thu, Apr 10, 2014 at 3:17 PM, Stephan Fabel wrote: > > > Question: given this issue, would anyone recommend switching SSL > > libraries?What about PolarSSL, for example? > > > > Even with this issue, I think openssl gets