$quoted_author = "Rick Welykochy" ; > > The Heartbleed Bug has been plaguing Apache and nginx web servers > for a couple of years.
Actually, the bug was in OpenSSL so those web servers may just be the highest profile, but not the only, software affected... > The press has gone wild with announcements today. From what I have read > there is no evidence that the bug has been exploited in the wild. But > attacking > communication system that have this bug leaves no trace in logs, i.e. attacks > are undetectable. It's trivial to exploit and undetectable without a network level packet capture. Who or what was exploited is one of those "known unknowns" so everyone should just follow the recommended course of actions: - patch the software - regenerate new keys - create new certificates and revoke the old ones - revoke existing access tokens, session cookies etc.etc - trigger password resets This may seem like overkill but it's realistically the only way to restore a semblance of security and is not overly onerous given the alternative possibilities. > Detecting the bug on web services you use: > > https://www.ssllabs.com/ssltest/analyze.html The only issue I have with this is it only checks the *current* status of the bug itself. It should also be checking the issue date of the certificate and warning that if it was not generated recently with a new key *and* the server was previously vulnerable then the server may still be at risk due to any previously retrieved key material or access tokens. cheers Marty _______________________________________________ Link mailing list Link@mailman.anu.edu.au http://mailman.anu.edu.au/mailman/listinfo/link
