On Tue, Apr 8, 2014 at 8:32 PM, chris <[email protected]> wrote: >>> Hi All >>> This arrived in my mail box a few moments ago. >>> Http://heartbleed.com/ >>> Question >>> >>> Is this a hoax? >>> If not, how serious is it
This isn't very serious for a user. For a server administrator, however, patching is a required start, but not the end of the story. Where possible, if you run TLS services (normally HTTPS, but also SMTP, IMAPS and so on), you should assume that your private key has been leaked some time in the past, and create a new private key and get a new certificate. This often costs $$$, so you should see if your certificate authority will revoke/replace for free. You should also consider the potential exposure for your use of TLS; i.e. if you let users log in over HTTPS, you should consider that their passwords might have been exposed to someone; or that the private data server over HTTPS has been leaked. Do you need to change all passwords, change all secrets, apologise profusely? Do you really need to spring $$$ for a new certificate when you only just got an expensive 3-year one? I'd hazard a guess that for most people who don't already know how to answer that question the answer is "it doesn't really matter" and after you have upgraded your packages & restarted your services that'll be the end of it. -jim _______________________________________________ Linux-users mailing list [email protected] http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
