Heartbleed attack on Openssl

Tristan Santore tristan.santore at internexusconnect.net
Wed Apr 9 15:59:27 CEST 2014

On 09/04/14 14:17, Sam Gleske wrote:
> On Tue, Apr 8, 2014 at 11:01 PM, Felipe Vieira <fmv1992 at gmail.com
> <mailto:fmv1992 at gmail.com>> wrote:
>     Dear GNUPG community,
>     I think a lot of unexperienced users would like to know more about
>     the Heartbleed problem found on some of the openssl versions. I
>     have two broad questions and two specific questions:
>     1) Which type of clients have been compromised (consider an
>     ordinary user)?
>     2) Which common applications use openssl and are a potential target?
>     2) Are firefox users compromised?
>     3) Are RetroShare users compromised?
>     Thanks in advance.
> For the most part it is service providers who are affected by the
> bug.  There's a handy website to verbosely explain heartbleed.
> http://heartbleed.com/
> Affected services include HTTP, email servers (SMTP, POP and IMAP
> protocols), chat servers (XMPP protocol), virtual private networks
> (SSL VPNs), databases (e.g. mysql), and pretty much any service that
> uses openssl TSL/SSL to secure transport of services if they're
> recently patched.
> Security notices for popular server distros...
> RHEL - https://access.redhat.com/site/solutions/781793
> Ubuntu - http://www.ubuntu.com/usn/usn-2165-1/
> There's not much you can do at this point.  Update your system
> packages and that's about it.
> Essentially you want to take the following steps if you're  service
> provider.
> 1. Test for the vulnerability - http://pastebin.com/WmxzjkXJ it is
> also prudent to search for the affected package versions across all
> services.
> 2. If vulnerable patch the OpenSSL version of public front end
> services first.  Patch backend services after the front end is secure.
> 3. Reissue SSL private keys and certificates.  Since the leak exposes
> the private key it is no longer pristine.
> For the remaining more thorough steps of what to do see the
> heartbleed.org <http://heartbleed.org> website which has a nice set of
> instructions.
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
It is imperative you revoke old keys! Not just reissue!



Tristan Santore BSc MBCS
Network and Infrastructure Operations
Mobile +44-78-55069812
Tristan.Santore at internexusconnect.net

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
TSantore at fedoraproject.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140409/fb8f2558/attachment-0001.html>

More information about the Gnupg-users mailing list