<div dir="ltr"><div>Interesting.</div><div>Could this be a part of what the leaked documents were referring to as “groundbreaking capabilities" a few months back?</div><div><br></div><div><a href="http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=4&_r=1&hp">http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=4&_r=1&hp</a></div>
<div><a href="https://www.eff.org/document/2013-09-05-guard-bullrun">https://www.eff.org/document/2013-09-05-guard-bullrun</a></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Apr 12, 2014 at 3:32 AM, Jesse Victors <span dir="ltr"><<a href="mailto:jvictors@jessevictors.com" target="_blank">jvictors@jessevictors.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA512<br>
<br>
<br>
Saw this article:<br>
<a href="http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html" target="_blank">http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html</a><br>
<br>
"The U.S. National Security Agency knew for at least two years about a<br>
flaw in the way that many websites send sensitive information, now<br>
dubbed the Heartbleed bug, and regularly used it to gather critical<br>
intelligence, two people familiar with the matter said. The NSA said in<br>
response to a Bloomberg News article that it wasn?t aware of Heartbleed<br>
until the vulnerability was made public by a private security report.<br>
The agency?s reported decision to keep the bug secret in pursuit of<br>
national security interests threatens to renew the rancorous debate over<br>
the role of the government?s top computer experts."<br>
<br>
Thanks NSA, glad you've got our backs there.<br>
<br>
If you run a relay and you have been on one of the affected versions of<br>
OpenSSL, I would urge you to STRONGLY CONSIDER your relay compromised.<br>
Delete your keys per the recommendations and let Tor generate new ones.<br>
It's better to cripple the network temporarily while we come back from<br>
this, rather than preserving the uptime with possibly compromised keys.<br>
Security matters here. Please follow the best practice recommendations.<br>
If you run a web server, rekey your SSL certificates. Basically, if you<br>
were affected, consider encryption to have been bypassed and passwords<br>
and other sensitive information compromised. We cannot afford to take<br>
chances here. If the NSA knew it, you can also bet that someone else<br>
with a good static analyzer discovered it as well, I'll let you imagine one.<br>
<br>
Good luck out there everyone, we really need to revoke our keys if we<br>
were affected. Seriously, guys. It's worth it.<br>
<br>
On a lighter note, <a href="https://xkcd.com/1354/" target="_blank">https://xkcd.com/1354/</a><br>
<br>
Stay safe. Live long and prosper.<br>
Jesse V.<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.14 (GNU/Linux)<br>
Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
iQF8BAEBCgBmBQJTSImHXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w<br>
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxMjgyMjhENjEyODQ1OTU1NzBCMjgwRkFB<br>
RDk3MzY0RkMyMEJFQzgwAAoJEK2XNk/CC+yA0nIIAKj1lOXRGcwMFd39CxjnymSN<br>
FVzrPUa/JomCJHqW/A0xSFdxbVAZIvio6C1phuWHmiiDKhsBuBGwLNzXQMGFltaw<br>
BnaTO1lLCvvSbEdmXPg12hR3YqR1d5D7Xnb0iTlSfrjZ7gGDEsXoJG3pU/V/RCFo<br>
IOEqxfZtVcI3DdrImlwcR6gPw6ip9JlTo49w8ncy6/K4cHED2liCQ13JvWjaQzSl<br>
uB06eWNsNo1IhPCKkZ7gFzharhN/4kAQrytC+ZcTmIrXdPrsd1lUaVICHWK9AEon<br>
sciDu5lI77srXWwt77YVAKw6Jrls41N3USgvKBSrxZhfBVQlCPOmoXtTHdwbhks=<br>
=pmBQ<br>
-----END PGP SIGNATURE-----<br>
<br>
_______________________________________________<br>
tor-relays mailing list<br>
<a href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a><br>
</blockquote></div><br></div>