[sf-lug] Heartbleed TLS/SSL bug
Jeff Bragg
jackofnotrades at gmail.com
Wed Apr 9 20:47:31 PDT 2014
I forgot to mention, if you use SSL certificates, replace/reissue them (key
and cert both).
On Wed, Apr 9, 2014 at 8:41 PM, Jeff Bragg <jackofnotrades at gmail.com> wrote:
> I would imagine that most members of this list are already aware of this,
> and have taken steps towards remediation, but in case you haven't heard of
> this, or haven't updated OpenSSL anywhere you have it installed, or haven't
> changed your passwords, this particular bug, publicly announced earlier
> this week, is very serious. The long and the short of it is that the
> vulnerable sites may have leaked your (not to mention other users and their
> own) information in a way that is not detectable, and which can leave users
> open to man-in-the-middle attacks, retroactive decryption of data captured
> previously, and so forth. Many (I hope most) major sites have remedied the
> problem on their servers, but seemingly few have bothered to tell their
> users that they *must change their passwords* in order to ensure safety
> going forward (except for sites that were never vulnerable, but I would not
> personally take their word for it).
>
> In other words, go change your passwords as soon as possible.
>
> More information:
>
> http://heartbleed.com/
>
> http://security.stackexchange.com/questions/55075/does-heartbleed-mean-new-certificates-for-every-ssl-server/55087#55087
>
> http://unix.stackexchange.com/questions/123711/how-do-i-recover-from-the-heartbleed-bug-in-openssl
>
> And some sites for testing vulnerability:
>
> http://filippo.io/Heartbleed/
> https://www.ssllabs.com/ssltest/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20140409/d2a8f3e6/attachment.html>
More information about the sf-lug
mailing list