Changes between Version 1 and Version 2 of heartbleed


Ignore:
Timestamp:
Apr 9, 2014, 1:01:25 PM (10 years ago)
Author:
Jamie McClelland
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • heartbleed

    v1 v2  
    33Dear May First/People Link Members,
    44
    5 A serious security vulnerability has been discovered in the most popular cryptography software on the Internet, affecting 2/3 of all web sites[0], including many May First/People Link members.
     5A serious security vulnerability has been discovered in the most popular cryptography software on the Internet, affecting 2/3 of all web sites, including many May First/People Link members.
    66
    77MF/PL's Support, Infrastructure and Data Sovereignty Team has been working hard to address the issue. Within 24 hours of the public announcement, we're proud to report that all servers have been upgraded.
    88
    9 Unfortunately, upgrading the server software is not enough. If you are running a web site that uses https, we will need your help to fully protect all services. Here's why:
     9Unfortunately, upgrading the server software is not enough. We strongly encourage all members to change the passwords you have used on May First/People Link servers.
     10
     11In addition, if you are running a web site that uses https and you have created your own "ssl" key and purchased your own certificate, we will need your additional help to fully protect all services. Here's why:
    1012
    1113During the period in which our servers were vulnerable it was possible for someone who can access your traffic to compromise the key that encrypts that traffic. If your key was compromised, then fixing the bug is not enough: you'll need to generate a new key and get a new x509 certificate.
     
    1315Questions:
    1416
    15 '''How do I generate a new key?'''
     17''How do I generate a new key?''
    1618
    1719Please visit our [wiki:faq/security/get-certificate wiki page on generating keys and obtaining certificates].
    1820
    19 '''How long were our servers vulnerable?'''
     21''How long were our servers vulnerable?''
    2022
    2123The vulnerability has been in existence for 2 years, however, most of our servers were vulnerable for a much shorter period. Seventy-six MF/PL servers were affected by this bug. A handful of them have been vulnerable for any where from 2 months to a year, about half have been vulnerable for 5 weeks, and the other half for less than a week.
    2224
    23 '''Do I have to generate a new key?'''
     25''Do I have to generate a new key?''
    2426
    2527No. It's your choice and you may decide that it's not worth the effort. To compromise your site, an attacker must have access to your Internet traffic and must of taken advantage of this bug either in the last 24 hours or prior to the public release of the bug. For most sites, that's unlikely. On the other hand, we now have concrete information about massive spying operations by the National Security Agency, including huge databases of recorded Internet traffic.
     
    2729Notes:
    2830
    29 0. http://heartbleed.org calls it the most popular encryption library. And, arstechnica estimates [http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/ it is used by 2/3 or all web sites].
     31According to the web site [http://heartbleed.org hearbleed], openssl is the most popular encryption library. And, arstechnica estimates [http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/ it is used by 2/3 or all web sites].
    3032