Heartbleed attack on Openssl
Tristan Santore
tristan.santore at internexusconnect.net
Wed Apr 9 15:59:27 CEST 2014
On 09/04/14 14:17, Sam Gleske wrote:
> On Tue, Apr 8, 2014 at 11:01 PM, Felipe Vieira <fmv1992 at gmail.com
> <mailto:fmv1992 at gmail.com>> wrote:
>
> Dear GNUPG community,
> I think a lot of unexperienced users would like to know more about
> the Heartbleed problem found on some of the openssl versions. I
> have two broad questions and two specific questions:
> 1) Which type of clients have been compromised (consider an
> ordinary user)?
> 2) Which common applications use openssl and are a potential target?
>
> 2) Are firefox users compromised?
> 3) Are RetroShare users compromised?
> Thanks in advance.
>
>
> For the most part it is service providers who are affected by the
> bug. There's a handy website to verbosely explain heartbleed.
>
> http://heartbleed.com/
>
> Affected services include HTTP, email servers (SMTP, POP and IMAP
> protocols), chat servers (XMPP protocol), virtual private networks
> (SSL VPNs), databases (e.g. mysql), and pretty much any service that
> uses openssl TSL/SSL to secure transport of services if they're
> recently patched.
>
> Security notices for popular server distros...
> RHEL - https://access.redhat.com/site/solutions/781793
> Ubuntu - http://www.ubuntu.com/usn/usn-2165-1/
>
> CLIENT
>
> There's not much you can do at this point. Update your system
> packages and that's about it.
>
> SERVICE PROVIDER
> Essentially you want to take the following steps if you're service
> provider.
>
> 1. Test for the vulnerability - http://pastebin.com/WmxzjkXJ it is
> also prudent to search for the affected package versions across all
> services.
> 2. If vulnerable patch the OpenSSL version of public front end
> services first. Patch backend services after the front end is secure.
> 3. Reissue SSL private keys and certificates. Since the leak exposes
> the private key it is no longer pristine.
>
> For the remaining more thorough steps of what to do see the
> heartbleed.org <http://heartbleed.org> website which has a nice set of
> instructions.
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
It is imperative you revoke old keys! Not just reissue!
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore at internexusconnect.net
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore at fedoraproject.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140409/fb8f2558/attachment-0001.html>
More information about the Gnupg-users
mailing list