Access to www.gnupg.org only via TLS

Pete Stephenson pete at heypete.com
Wed Apr 30 22:28:15 CEST 2014 

On Apr 30, 2014 9:25 PM, "Doug Barton" <dougb at dougbarton.us> wrote:

[snip]

> ... your whole premise seems to be invalid as there is no clear evidence
at this time (that I'm aware of, and I've been paying attention) that any
actual secret keys have been compromised by Heartbleed. It was listed as a
potential risk when the vulnerability was first announced, but several
groups have done research on that specific point and have found that it
would be sufficiently difficult, if not actually impossible; to render this
particular risk as negligible at best.

Cloudflare did a challenge where a Heartbleed-vulnerable system was exposed
to the internet with a challenge to recover the private key. They thought,
based on internal testing, it would be quite difficult if not impossible.
The key was found within hours:
http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge

Interestingly, Heartbleed is being used by security researchers to access
online forums used by bad guys who, for whatever reason, have not patched
their servers:
http://www.bbc.com/news/technology-27203766 -- it is not clear if the
researchers are getting private keys, but it certainly appears to be
possible.

In regards to certs, I like the principles behind CAcert, but using their
certs on public-facing systems can be problematic due to their root not
being included in browsers. For practical reasons, using a CA included in
browsers is often a better choice.

I use and usually recommend StartSSL but if that's not an option for
whatever reason, several CAs offer free-of-charge certs for FOSS projects.
Two examples that spring to mind are GoDaddy [1] and GlobalSign [2].

For paid certs, it can often be (considerably) cheaper to buy through a
reseller: for example, a PositiveSSL cert from Comodo costs $49/year, but
the same cert purchased via NameCheap is only $9/year.

Gandi.net, a French registrar, also offers certs chained to Comodo at a
reasonable price, though they're slightly more expensive than US-based
NameCheap.

Cheers!
-Pete

[1] http://www.godaddy.com/ssl/ssl-open-source.aspx
[2] https://www.globalsign.com/ssl/ssl-open-source/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140430/11952c05/attachment.html>

More information about the Gnupg-users mailing list