[olug] Heartbleed

Rob Townley rob.townley at gmail.com
Fri Apr 11 17:30:12 UTC 2014 

Qualys ssllabs.com has a free tool and guidance to check which websites are
still vulnerable and general SSL configuration.

i just sent an email to a prominent hostmaster associated with plastic in
your wallet.




On Fri, Apr 11, 2014 at 11:00 AM, Tony Gies <tony.gies at gruppe86.net> wrote:

> This is a good example of why it's wise to do SSL/TLS termination
> out-of-process, where possible. Previously I had done this out of
> concern that a web server exploit might expose sensitive information
> (private keys etc.) from SSL, never suspecting that in fact the
> inverse would actually happen. If your SSL termination gets popped,
> you still have a huge problem -- the attacker can probably get your
> private key and find out some information about other requests made
> through the tunnel -- but they don't have a magic portal from SSL
> termination to your whole application layer or vice versa, because the
> underlying OS virtual memory protection keeps these things separate
> (unless your attacker has a kernel exploit). FreeBSD security
> dude/Tarsnap operator Colin Percival wrote about this here:
> http://www.daemonology.net/blog/2009-09-28-securing-https.html
>
> Also, consider this your kick in the pants to implement SSL/TLS
> Perfect Forward Secrecy if you haven't. I do a lot of consulting
> basically beefing up people's SSL configuration from the defaults that
> haven't been changed since 2001 and it's really not hard to set up. I
> may give a talk on it at some point.
>
>
> Tony Gies <tony.gies at gruppe86.net>
> Technical Projects Director
> gruppe86 | IT Consulting, Software Development, Systems Integration
>
>
> On Wed, Apr 9, 2014 at 9:43 PM, unfy <olug at unfy.org> wrote:
> > This has gotten a fair bit of press, which is good.  Reminds me of the
> > debian cert issues / rng / 64k etc thing :D.
> >
> > At my work, our policy tends to be 'if it aint broke, dont fix it'.
> >
> > Thus, none of our stuff was running the 1.x branch of openssl stuff, all
> of
> > it's 0.9.x stuff.
> >
> > No massive run around to 400+ locations to fix openssl stuff for meeeeeee
> > yay!
> >
> > -Will
> >
> >
> > On 4/9/2014 6:39 PM, Justin Reiners wrote:
> >>
> >> Yes over the next few days I will be changing certs as well as passwords
> >> on
> >> the entire network. We are waiting for certs to be reissued now. All
> >> outward facing servers are patched now. Working on the rest tomorrow
> >>
> >> Luckily patching is a piece of cake.
> >> On Apr 9, 2014 6:12 PM, "Jeff Hinrichs - DM&T" <jeffh at dundeemt.com>
> wrote:
> >>
> >>> Admins: Not only certs but you should force users to change their
> >>> passwords.
> >>>
> >>> Users: If you haven't changed your passwords in a while/ever now is the
> >>> time.  Password managers are your friend.
> >>>
> >>> Last article I saw was estimating 2/3 of the internet was affected.
> >>>   Personally, our systems were 50% affected.  If you were vulnerable,
> you
> >>> have to assume you were compromised.
> >>>
> >>> -j
> >>>
> >>>
> >>> On Wed, Apr 9, 2014 at 6:01 PM, Tom Fritz <tfritz at me.com> wrote:
> >>>
> >>>>> I will assume that the slow traffic on the mailing list tonight is
> >>>>> because we are all busy checking our systems for the openssl
> heartbleed
> >>>>> vulnerability.
> >>>>>
> >>>>> If you aren't, you should be.
> >>>>>
> >>>>> RHEL/CentOS folks, please see this note:
> >>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1084875#c9
> >>>>>
> >>>>> Red Hat announcement:
> >>>>> https://access.redhat.com/site/announcements/781953
> >>>>>
> >>>>> Fedora Announcement:
> >>>>>
> >>>
> https://lists.fedoraproject.org/pipermail/announce/2014-April/003205.html
> >>>>
> >>>>          There appears to be some confusion if applying the fix is
> >>>> enough.
> >>>> If your server has been compromised you need to regen/replace your
> certs
> >>>> after installing the fixed openssl. I have talked with some folks and
> >>>
> >>> they
> >>>>
> >>>> think updating the openssl is enough and it may not be. You can't
> detect
> >>>
> >>> if
> >>>>
> >>>> your system has been compromised. I also haven't seen an IDS/IPS
> >>>
> >>> signature
> >>>>
> >>>> released. If someone otherwise please share.
> >>>>
> >>>> Tom.
> >>>> _______________________________________________
> >>>> OLUG mailing list
> >>>> OLUG at olug.org
> >>>> https://lists.olug.org/mailman/listinfo/olug
> >>>>
> >>>
> >>>
> >>> --
> >>> Best,
> >>>
> >>> Jeff Hinrichs
> >>> 402.218.1473
> >>> _______________________________________________
> >>> OLUG mailing list
> >>> OLUG at olug.org
> >>> https://lists.olug.org/mailman/listinfo/olug
> >>>
> >> _______________________________________________
> >> OLUG mailing list
> >> OLUG at olug.org
> >> https://lists.olug.org/mailman/listinfo/olug
> >>
> >
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > https://lists.olug.org/mailman/listinfo/olug
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>

More information about the OLUG mailing list