Fun Stuff > CLIKC

Particularly nasty OpenSSL vulnerability

(1/2) > >>

bhtooefr:
In case anyone hasn't heard about this yet: http://heartbleed.com

In other words: THE WORLD IS ENDING. Or, time to update/recompile OpenSSL on any affected machines, and then change any passwords used by processes that use the affected OpenSSL for TLS, revoke all certificates used with said processes (because private keys may have leaked), and get new ones.

And you thought this week's only infosec nightmare was going to be XP's end of life.

pwhodges:
It's impossible to get onto the OpenSSL site at present.

My SSL server at home isn't OpenSSL, and my OpenBSD firewall has a version that is not vulnerable.
EDIT: Oops - mixing up SSH and SSL here; just a brain-fart.

snalin:
Wait, does this mean that ssh keys are compromised?

Fuuuuuu

pwhodges:
May be - and there's no way to tell if it happened.

ankhtahr:
SSL, not SSH. SSH in the default configuration doesn't use SSL. It uses RSA or DSA keys for authentification and AES for transport. But if you operate a server which offers SSL encrypted services, like HTTPS, IMAP, SMTP, XMPP, Mumble and so on, you'll need a new certificate, because the private key might have been compromised.

Navigation

[0] Message Index

[#] Next page