Re: [FRIAM] Major bug called 'Heartbleed' exposes Internet data

On Thu, 2014-04-10 at 10:20 -0600, Joshua Thorp wrote: > according to > https://www.schneier.com/blog/archives/2014/04/heartbleed.html > http://security.stackexchange.com/questions/55382/heartbleed-read-only-the-next-64k-and-hyping-the-threat > > > apparently the bug gives access to 64K chunk of

Re: [FRIAM] Major bug called 'Heartbleed' exposes Internet data

Is now a bad time to sugest this might be a 'internet wargames test'? On Thu, Apr 10, 2014 at 10:47 AM, Owen Densmore wrote: > The follow-on links are pretty good too. > >-- Owen > > > On Thu, Apr 10, 2014 at 10:20 AM, Joshua Thorp wrote: > >> according to >> https://www.schneier.com/blog/

Re: [FRIAM] Major bug called 'Heartbleed' exposes Internet data

The follow-on links are pretty good too. -- Owen On Thu, Apr 10, 2014 at 10:20 AM, Joshua Thorp wrote: > according to > https://www.schneier.com/blog/archives/2014/04/heartbleed.html > > http://security.stackexchange.com/questions/55382/heartbleed-read-only-the-next-64k-and-hyping-the-threat

Re: [FRIAM] Major bug called 'Heartbleed' exposes Internet data

Of course, after our certificate is renewed, we will need to revoke our current certificate. See this link for some of the consequences of having millions of certificates revoked at the same time: http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-r

Re: [FRIAM] Major bug called 'Heartbleed' exposes Internet data

http://filippo.io/Heartbleed/ has been invaluable. —Barry Our vulnerable servers are all Linux Drupal machines on Amazon's EC2. On 10 Apr 2014, at 10:12, Owen Densmore wrote: Fairly useful scanner software created to test for vulnerability. [https://github.com/musalbas/heartbleed-masstest/blo

Re: [FRIAM] Major bug called 'Heartbleed' exposes Internet data

Yes. That is my understanding. We could put our web store back on line with the old certificate, but it is theoretically possible* that someone has been able to find the private key. Right now, we are playing it safe. It it takes several days for our re-issued certificate to get signed, well...

Re: [FRIAM] Major bug called 'Heartbleed' exposes Internet data

according to https://www.schneier.com/blog/archives/2014/04/heartbleed.html http://security.stackexchange.com/questions/55382/heartbleed-read-only-the-next-64k-and-hyping-the-threat apparently the bug gives access to 64K chunk of ram on the server. The private key might be in that chunk, but p

Re: [FRIAM] Major bug called 'Heartbleed' exposes Internet data

And some fundamental "truths" about information entropy are even being questioned: http://newsoffice.mit.edu/2013/encryption-is-less-secure-than-we-thought-0814 And a "new" method offered for generating keys which is reputed to not be vulnerable to brute-force attacks, based on coupled syst

Re: [FRIAM] Major bug called 'Heartbleed' exposes Internet data

Fairly useful scanner software created to test for vulnerability. https://github.com/musalbas/heartbleed-masstest/blob/master/top1.txt -- Owen On Thu, Apr 10, 2014 at 10:05 AM, Owen Densmore wrote: > Hi Barry. How would the private keys be exposed? The pub/priv > computation is done l

Re: [FRIAM] Major bug called 'Heartbleed' exposes Internet data

Hi Barry. How would the private keys be exposed? The pub/priv computation is done locally, right? BTW: All node servers are secure due to their ssl config turning off the "heartbeat" option. NodeWeekly: Node 0.8.x and 0.10.2+ Not Vulnerable to Heartbleed Issue

Re: [FRIAM] Major bug called 'Heartbleed' exposes Internet data

It is a major PITA. Certificates on affected servers (which include Amazon EC2 Linus servers) may have had their private keys exposed, so certificates have to be reissued with different keys. This is, apparently, a major bottleneck. —Barry On 9 Apr 2014, at 21:23, Owen Densmore wrote: Wor