[Wolves] Fwd: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability

Chris Ellis chris at intrbiz.com
Tue Apr 8 18:41:06 UTC 2014


On Tue, Apr 8, 2014 at 7:32 PM, David Goodwin <david at codepoets.co.uk> wrote:

>
>  It's a pretty serious bug, as it allows the attacker to reveal upto 64KiB
>> of  private memory, this could potentially include the SSL private keys!
>> The bug does only affect OpenSSL version 1.0.1 (and 1.0.2) but it affects
>> anything using OpenSSL, eg: Apache HTTPD, OpenVPN, etc.
>>
>
> Yes. Unfortunately it's the case that if you hadn't upgraded to Debian
> Wheezy (and were still on Squeeze) that you would have been safe.
> Annoyingly I upgraded my mail server less than a week ago :-(
>
> Now to question which banks (if any) have been compromised/hit
>

Most banks will be running older stacks.  Few are offering TLS 1.1 or TLS
1.2 yet nor forward secrecy.
For example NatWest doesn't even offer AES cipher suites, forcing RC4 or
3DES.  Ultimately most banks
don't actively care about their SSL configurations.


>
> See also : https://lwn.net/Articles/593683/
>
>
> David
>
>
> --
> David Goodwin
> http://codepoets.co.uk
>
>
>
> _______________________________________________
> Wolves LUG mailing list
> Homepage: http://www.wolveslug.org.uk/
> Mailing list: Wolves at mailman.lug.org.uk
> Mailing list home: https://mailman.lug.org.uk/mailman/listinfo/wolves
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/wolves/attachments/20140408/6a02c286/attachment.html>


More information about the Wolves mailing list