[tor-relays] NSA knew about Heartbleed

Jesse Victors jvictors at jessevictors.com
Sat Apr 12 00:32:07 UTC 2014

Hash: SHA512

Saw this article:

"The U.S. National Security Agency knew for at least two years about a
flaw in the way that many websites send sensitive information, now
dubbed the Heartbleed bug, and regularly used it to gather critical
intelligence, two people familiar with the matter said. The NSA said in
response to a Bloomberg News article that it wasn?t aware of Heartbleed
until the vulnerability was made public by a private security report.
The agency?s reported decision to keep the bug secret in pursuit of
national security interests threatens to renew the rancorous debate over
the role of the government?s top computer experts."

Thanks NSA, glad you've got our backs there.

If you run a relay and you have been on one of the affected versions of
OpenSSL, I would urge you to STRONGLY CONSIDER your relay compromised.
Delete your keys per the recommendations and let Tor generate new ones.
It's better to cripple the network temporarily while we come back from
this, rather than preserving the uptime with possibly compromised keys.
Security matters here. Please follow the best practice recommendations.
If you run a web server, rekey your SSL certificates. Basically, if you
were affected, consider encryption to have been bypassed and passwords
and other sensitive information compromised. We cannot afford to take
chances here. If the NSA knew it, you can also bet that someone else
with a good static analyzer discovered it as well, I'll let you imagine one.

Good luck out there everyone, we really need to revoke our keys if we
were affected. Seriously, guys. It's worth it.

On a lighter note, https://xkcd.com/1354/

Stay safe. Live long and prosper.
Jesse V.

Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the tor-relays mailing list