[ale] OpenSSL Broken, Upgrade Now
leam hall
leamhall at gmail.com
Mon Apr 14 14:23:47 EDT 2014
This seems to fall under "better safe than sorry"...
On Mon, Apr 14, 2014 at 2:18 PM, Lightner, Jeff <JLightner at dsservices.com>wrote:
> At least one of our partners did that the day the bug was announced.
>
>
>
> Since you can’t tell whether you’ve been exploited or not some people are
> choosing to replace keys rather than worry about whether or not they’ve
> been exploited.
>
>
>
> Symantec (Verigsing one of the CAs) sent an alert that if I read it
> properly suggests you should change your SSL certificate.
>
>
>
>
> https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD831
>
>
>
>
>
>
>
>
>
>
>
> *From:* ale-bounces at ale.org [mailto:ale-bounces at ale.org] *On Behalf Of *Edward
> Holcroft
> *Sent:* Monday, April 14, 2014 2:15 PM
> *To:* Atlanta Linux Enthusiasts
> *Subject:* Re: [ale] OpenSSL Broken, Upgrade Now
>
>
>
> This article says that ssl certificates could have been stolen:
>
>
>
>
> http://arstechnica.com/security/2014/04/private-crypto-keys-are-accessible-to-heartbleed-hackers-new-data-shows/
>
>
>
> Does this really mean I need to replace the ssl keys on every one of my
> Amazon Linux boxes, even non-web servers with access allowed only from
> pre-assigned IP addresses? Please tell me it's not so!
>
>
>
> ed
>
>
>
> On Mon, Apr 7, 2014 at 7:14 PM, David Tomaschik <david at systemoverlord.com>
> wrote:
>
> TL;DR: Upgrade OpenSSL to >= 1.0.1g immediately, consider replacing keys.
> Not as bad as Debian OpenSSL bug, but worse than "goto fail;".
>
>
>
> "The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
> cryptographic software library. This weakness allows stealing the
> information protected, under normal conditions, by the SSL/TLS encryption
> used to secure the Internet. SSL/TLS provides communication security and
> privacy over the Internet for applications such as web, email, instant
> messaging (IM) and some virtual private networks (VPNs).
>
>
>
> The Heartbleed bug allows anyone on the Internet to read the memory of the
> systems protected by the vulnerable versions of the OpenSSL software. This
> compromises the secret keys used to identify the service providers and to
> encrypt the traffic, the names and passwords of the users and the actual
> content. This allows attackers to eavesdrop communications, steal data
> directly from the services and users and to impersonate services and users."
>
>
>
> http://heartbleed.com
>
>
>
> --
> David Tomaschik
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com
>
>
>
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
>
>
>
> --
>
> Edward Holcroft | Madsen Kneppers & Associates Inc.
> 11695 Johns Creek Parkway, Suite 250 | Johns Creek, GA 30097
> O (770) 446-9606 | M (770) 630-0949
>
>
> MADSEN, KNEPPERS & ASSOCIATES USA, MKA Canada Inc. WARNING/CONFIDENTIALITY
> NOTICE: This message may be confidential and/or privileged. If you are not
> the intended recipient, please notify the sender immediately then delete it
> - you should not copy or use it for any purpose or disclose its content to
> any other person. Internet communications are not secure. You should scan
> this message and any attachments for viruses. Any unauthorized use or
> interception of this e-mail is illegal.
>
>
>
>
>
> Athena®, Created for the Cause™
>
> Making a Difference in the Fight Against Breast Cancer
>
>
>
>
>
> ---------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
> information and is for the sole use of the intended recipient(s). If you
> are not the intended recipient, any disclosure, copying, distribution, or
> use of the contents of this information is prohibited and may be unlawful.
> If you have received this electronic transmission in error, please reply
> immediately to the sender that you have received the message in error, and
> delete it. Thank you.
> ----------------------------------
>
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
--
Mind on a Mission <http://leamhall.blogspot.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140414/32a84e48/attachment.html>
More information about the Ale
mailing list