This is an excellent email.
------------------------------ On Fri, Apr 11, 2014 5:32 PM PDT Jesse Victors wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Saw this article: http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bu...
"The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. The NSA said in response to a Bloomberg News article that it wasn?t aware of Heartbleed until the vulnerability was made public by a private security report. The agency?s reported decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government?s top computer experts."
Thanks NSA, glad you've got our backs there.
If you run a relay and you have been on one of the affected versions of OpenSSL, I would urge you to STRONGLY CONSIDER your relay compromised. Delete your keys per the recommendations and let Tor generate new ones. It's better to cripple the network temporarily while we come back from this, rather than preserving the uptime with possibly compromised keys. Security matters here. Please follow the best practice recommendations. If you run a web server, rekey your SSL certificates. Basically, if you were affected, consider encryption to have been bypassed and passwords and other sensitive information compromised. We cannot afford to take chances here. If the NSA knew it, you can also bet that someone else with a good static analyzer discovered it as well, I'll let you imagine one.
Good luck out there everyone, we really need to revoke our keys if we were affected. Seriously, guys. It's worth it.
On a lighter note, https://xkcd.com/1354/
Stay safe. Live long and prosper. Jesse V.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQF8BAEBCgBmBQJTSImHXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxMjgyMjhENjEyODQ1OTU1NzBCMjgwRkFB RDk3MzY0RkMyMEJFQzgwAAoJEK2XNk/CC+yA0nIIAKj1lOXRGcwMFd39CxjnymSN FVzrPUa/JomCJHqW/A0xSFdxbVAZIvio6C1phuWHmiiDKhsBuBGwLNzXQMGFltaw BnaTO1lLCvvSbEdmXPg12hR3YqR1d5D7Xnb0iTlSfrjZ7gGDEsXoJG3pU/V/RCFo IOEqxfZtVcI3DdrImlwcR6gPw6ip9JlTo49w8ncy6/K4cHED2liCQ13JvWjaQzSl uB06eWNsNo1IhPCKkZ7gFzharhN/4kAQrytC+ZcTmIrXdPrsd1lUaVICHWK9AEon sciDu5lI77srXWwt77YVAKw6Jrls41N3USgvKBSrxZhfBVQlCPOmoXtTHdwbhks= =pmBQ -----END PGP SIGNATURE-----
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
Eric Giannini