-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/11/2014 04:19 PM, Hazel wrote: > > On 7 Apr 2014 21:42, "Phil Pennock" <lopsa-t...@spodhuis.org > <mailto:lopsa-t...@spodhuis.org>> wrote: >> >> If you're running OpenSSL 1.0.1 in any Internet-facing services, >> then you'll want to: >> >> (1) Read the advisories (2) Deploy emergency updates (either >> 1.0.1g or with heartbeats disabled) (3) Figure out if you want to >> do key/cert rotation on assumption of compromise >> >> Short version: length-checking flaw in TLS Heartbeats allows for >> 64kB of memory disclosure, and the researchers have proven that >> they can use this to exfiltrate the certificate's private key, >> and that this leaves no audit log. Affects all releases of >> OpenSSL 1.0.1 prior to today's "g" release.
Re: private keys — "It ain't necessarily so" [1] > http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html > > "The U.S. National Security Agency knew for at least two years > about a flaw in the way that many websites send sensitive > information, now dubbed the Heartbleed bug, and regularly used it > to gather critical intelligence, two people familiar with the > matter said." > > Hahahaha... "Two people"? *Anyone* can now say they new it for two years. Much too much panic lately… Šarūnas - ---------------------------------------------------------------------- 1. http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iEYEARECAAYFAlNIW/kACgkQVVkpJ1MUn+YApwCgiNSBSrG+/QHP5y1gmbjYJwi4 dpIAn2mn78yxl6uqKZH06t4LPxbsJEX9 =PCMF -----END PGP SIGNATURE----- _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
