[tor-relays] NSA knew about Heartbleed
eric.giannini at yahoo.com
Sat Apr 12 06:44:40 UTC 2014
This is an excellent email.
On Fri, Apr 11, 2014 5:32 PM PDT Jesse Victors wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Saw this article:
>"The U.S. National Security Agency knew for at least two years about a
>flaw in the way that many websites send sensitive information, now
>dubbed the Heartbleed bug, and regularly used it to gather critical
>intelligence, two people familiar with the matter said. The NSA said in
>response to a Bloomberg News article that it wasn?t aware of Heartbleed
>until the vulnerability was made public by a private security report.
>The agency?s reported decision to keep the bug secret in pursuit of
>national security interests threatens to renew the rancorous debate over
>the role of the government?s top computer experts."
>Thanks NSA, glad you've got our backs there.
>If you run a relay and you have been on one of the affected versions of
>OpenSSL, I would urge you to STRONGLY CONSIDER your relay compromised.
>Delete your keys per the recommendations and let Tor generate new ones.
>It's better to cripple the network temporarily while we come back from
>this, rather than preserving the uptime with possibly compromised keys.
>Security matters here. Please follow the best practice recommendations.
>If you run a web server, rekey your SSL certificates. Basically, if you
>were affected, consider encryption to have been bypassed and passwords
>and other sensitive information compromised. We cannot afford to take
>chances here. If the NSA knew it, you can also bet that someone else
>with a good static analyzer discovered it as well, I'll let you imagine one.
>Good luck out there everyone, we really need to revoke our keys if we
>were affected. Seriously, guys. It's worth it.
>On a lighter note, https://xkcd.com/1354/
>Stay safe. Live long and prosper.
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.14 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>-----END PGP SIGNATURE-----
>tor-relays mailing list
>tor-relays at lists.torproject.org
More information about the tor-relays