-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 André,
On 4/11/14, 2:52 AM, André Warnier wrote: > As I understand it, the real bitch about this bug, is that *during > the whole period in which your server was vulnerable* , a > knowledgeable attacker would have been able to connect to your > server and grab the contents of arbitrary 64 K chunks of memory. Correct. It's ... kind of bad. > There are at least 3 consequences : > > 1) if you do not change your keys and/or passwords now, then in the > future that attacker (and whoever he gives or sells the > information to) will be able to access your server with the stolen > credentials, and do whatever these credentials allow him to do. Correct: if your server keys have been stolen, then even after you patch your server the damage has been done -- an attacker can decrypt any traffic they capture in the future. That's why you must re-key. Remember to patch first, then re-key ;) > 2) if these stolen credentials apply to other systems too, even > ones that are not vulnerable and have never been, he can use them > there too. (people use the same keys and passwords for multiple > services, that's just a fact of life) +1 If you re-use the key+cert on other servers, then their traffic can be decrypted as well if your key has been stolen. > 3) if he has recorded past encrypted traffic to/from your server, > and saved this recording, then he can at any time go back and > decrypt this past traffic, and pick up anything interesting from > there, even without having the new keys. Well, the new keys are irrelevant for "old traffic." > Such a recording could contain, for example, any number of submits > from HTML login pages, which were theoretically protected by > being made on an encrypted channel. That could probably also > contain any communications which your server did with other servers > over encrypted channels. Correct: you have to assume that basically your traffic has been essentially unencrypted during the period of vulnerability. That's why everyone has to change all their passwords. For everything. Everywhere. Have fun! - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTSBRMAAoJEBzwKT+lPKRYCacP/2B9d5ooilyV3KxY2K1hXw1n ijesdzbV7xWdgFOVLqvS1OLGbFRFzUhJeu30zhX/aw3gVzUnVrmEHLZqaU5nZXrD gfHEO7FkEazuKrwiZ6Y382t0542Gb735piTM6q49aUs51mIRKzwQgPyGAUD2L+wY 4/djZ2rUPWAp3N/qKrCgSqVFAU03gLU6rhRuyPdOUj4GWRBEFCKPyxrIAfz7xU0/ w3sv9VXobLcAMVTFJvn/7D3H7iA0BjRfYZeo613miCfsGO1d6Y5b3R2z6kBJ5R0A iIVJDaA7O8DFwt5nFwYAm1x9VvoxGBY6+UXEZkaYPisQhVJh5/aKlYIN+AObIRKX RcmoLPxCiz/ANoq8YPovtCumrrqqwNdfceMzP5JyAk6p4pS4OlVrxWST7N4q9fkJ /ZnwGanb3WTU4iFuCf4TijzF0QvwS9rmtZuQLYzG2qSgjOF6O2mBWeSnHQ9bA5RZ gpD/NEOlgYXpVlH0VfFNVQOW8ymWEBdO3Mxq/RoCumWh8yRMLRyodEI7QqUXqCb6 I8fA08xwsjKHNgGxNaJmvf3q6xExhfhASauwNBwTWpO9vtKYBvE3jlgbqR/qcqMT egiqIPGWLK3A14G9YzqOpFljBUxzh9tcNrauFCOZ3Qh5EaffvM6hubBL+MyxsDhR 329oLojNhu47UxqzpgwX =GPt2 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
