[sf-lug] Heartbleed TLS/SSL bug
Jeff Bragg
jackofnotrades at gmail.com
Wed Apr 9 20:55:56 PDT 2014
Clear your browser data, too. Non-revoked certificates can still
potentially be used to exploit older sessions (originating from before
upgrade).
On Wed, Apr 9, 2014 at 8:47 PM, Jeff Bragg <jackofnotrades at gmail.com> wrote:
> I forgot to mention, if you use SSL certificates, replace/reissue them
> (key and cert both).
>
>
> On Wed, Apr 9, 2014 at 8:41 PM, Jeff Bragg <jackofnotrades at gmail.com>wrote:
>
>> I would imagine that most members of this list are already aware of this,
>> and have taken steps towards remediation, but in case you haven't heard of
>> this, or haven't updated OpenSSL anywhere you have it installed, or haven't
>> changed your passwords, this particular bug, publicly announced earlier
>> this week, is very serious. The long and the short of it is that the
>> vulnerable sites may have leaked your (not to mention other users and their
>> own) information in a way that is not detectable, and which can leave users
>> open to man-in-the-middle attacks, retroactive decryption of data captured
>> previously, and so forth. Many (I hope most) major sites have remedied the
>> problem on their servers, but seemingly few have bothered to tell their
>> users that they *must change their passwords* in order to ensure safety
>> going forward (except for sites that were never vulnerable, but I would not
>> personally take their word for it).
>>
>> In other words, go change your passwords as soon as possible.
>>
>> More information:
>>
>> http://heartbleed.com/
>>
>> http://security.stackexchange.com/questions/55075/does-heartbleed-mean-new-certificates-for-every-ssl-server/55087#55087
>>
>> http://unix.stackexchange.com/questions/123711/how-do-i-recover-from-the-heartbleed-bug-in-openssl
>>
>> And some sites for testing vulnerability:
>>
>> http://filippo.io/Heartbleed/
>> https://www.ssllabs.com/ssltest/
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20140409/38c537fa/attachment.html>
More information about the sf-lug
mailing list