On Tue, Apr 8, 2014 at 11:01 PM, Felipe Vieira <[email protected]> wrote:
> Dear GNUPG community, > I think a lot of unexperienced users would like to know more about the > Heartbleed problem found on some of the openssl versions. I have two broad > questions and two specific questions: > 1) Which type of clients have been compromised (consider an ordinary user)? > 2) Which common applications use openssl and are a potential target? > > 2) Are firefox users compromised? > 3) Are RetroShare users compromised? > Thanks in advance. > For the most part it is service providers who are affected by the bug. There's a handy website to verbosely explain heartbleed. http://heartbleed.com/ Affected services include HTTP, email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), databases (e.g. mysql), and pretty much any service that uses openssl TSL/SSL to secure transport of services if they're recently patched. Security notices for popular server distros... RHEL - https://access.redhat.com/site/solutions/781793 Ubuntu - http://www.ubuntu.com/usn/usn-2165-1/ CLIENT There's not much you can do at this point. Update your system packages and that's about it. SERVICE PROVIDER Essentially you want to take the following steps if you're service provider. 1. Test for the vulnerability - http://pastebin.com/WmxzjkXJ it is also prudent to search for the affected package versions across all services. 2. If vulnerable patch the OpenSSL version of public front end services first. Patch backend services after the front end is secure. 3. Reissue SSL private keys and certificates. Since the leak exposes the private key it is no longer pristine. For the remaining more thorough steps of what to do see the heartbleed.orgwebsite which has a nice set of instructions.
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
