Most people have probably heard about this already, but if not, *patch your OpenSSL now!* and restart your daemons. CVE-2014-0160 http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens... For some reason you (sometimes) have to reload that page a few times before it actually loads. This is the worst bug I've seen in like 10 years, insofar as you may have been compromised already, but you don't (can't!) know it and they may be sitting there with your keys, waiting to actually make use of them at a later date.
From how I read it, the only way to be safe & sure is to make a new CSR and buy a new SSL cert? Or are the cert vendors going to offer a "redo" for free?
Most SSL certificate providers are allowing their customers to revoke & reissue certificates at no charge as long as none of the details (including verification method) change. -Adam On April 10, 2014 6:04:18 PM CDT, Trevor Cordes <trevor@tecnopolis.ca> wrote:
Most people have probably heard about this already, but if not, *patch your OpenSSL now!* and restart your daemons.
CVE-2014-0160
http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens...
For some reason you (sometimes) have to reload that page a few times before it actually loads.
This is the worst bug I've seen in like 10 years, insofar as you may have been compromised already, but you don't (can't!) know it and they may be sitting there with your keys, waiting to actually make use of them at a
later date.
From how I read it, the only way to be safe & sure is to make a new CSR
and buy a new SSL cert? Or are the cert vendors going to offer a "redo" for free? _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Regarding this attack, the main thing that could be compromised is the ssl private key. But other than that what else could be leaked? Anything in memory of the process / service being exploited. Passwords hashes possibly even plaintext for email, etc. As long as the process(es) in question aren't running as root, damage shouldn't be too bad. Things such as oh, the shadow file, or private ssh keys, still remaining safe. Hopefully I'm not missing anything with this vulnerability but if I am I'd sure like to know. Thanks, Paul On 04/10/2014 06:28 PM, Adam Thompson wrote:
Most SSL certificate providers are allowing their customers to revoke & reissue certificates at no charge as long as none of the details (including verification method) change. -Adam
On April 10, 2014 6:04:18 PM CDT, Trevor Cordes <trevor@tecnopolis.ca> wrote:
Most people have probably heard about this already, but if not, *patch your OpenSSL now!* and restart your daemons.
CVE-2014-0160
http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens...
For some reason you (sometimes) have to reload that page a few times before it actually loads.
This is the worst bug I've seen in like 10 years, insofar as you may have been compromised already, but you don't (can't!) know it and they may be sitting there with your keys, waiting to actually make use of them at a later date.
From how I read it, the only way to be safe & sure is to make a new CSR and buy a new SSL cert? Or are the cert vendors going to offer a "redo" for free? ------------------------------------------------------------------------
Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
Information leakage. Any query strings, post variables, responses, etc. And if you use e.g. mod_php or mod_Perl, internal variable state. Notably this includes *decrypted* credit card #s. -Adam On April 10, 2014 7:03:58 PM CDT, Paul Sierks <psierks@sierkstech.net> wrote:
Regarding this attack, the main thing that could be compromised is the ssl private key. But other than that what else could be leaked? Anything in memory of the process / service being exploited. Passwords hashes possibly even plaintext for email, etc. As long as the process(es) in question aren't running as root, damage shouldn't be too bad. Things such as oh, the shadow file, or private ssh keys, still remaining safe.
Hopefully I'm not missing anything with this vulnerability but if I am I'd sure like to know.
Thanks, Paul
On 04/10/2014 06:28 PM, Adam Thompson wrote:
Most SSL certificate providers are allowing their customers to revoke
& reissue certificates at no charge as long as none of the details (including verification method) change. -Adam
On April 10, 2014 6:04:18 PM CDT, Trevor Cordes <trevor@tecnopolis.ca> wrote:
Most people have probably heard about this already, but if not, *patch your OpenSSL now!* and restart your daemons.
CVE-2014-0160
http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens...
For some reason you (sometimes) have to reload that page a few
times
before it actually loads.
This is the worst bug I've seen in like 10 years, insofar as you
may have
been compromised already, but you don't (can't!) know it and they
may be
sitting there with your keys, waiting to actually make use of
them at a
later date.
From how I read it, the only way to be safe & sure is to make a
new CSR
and buy a new SSL cert? Or are the cert vendors going to offer a
"redo"
for free?
------------------------------------------------------------------------
Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
------------------------------------------------------------------------
_______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
participants (3)
-
Adam Thompson -
Paul Sierks -
Trevor Cordes