[tor-relays] NSA knew about Heartbleed

Eric Giannini eric.giannini at yahoo.com
Sat Apr 12 06:44:40 UTC 2014 


This is an excellent email.


------------------------------
On Fri, Apr 11, 2014 5:32 PM PDT Jesse Victors wrote:

>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA512
>
>
>Saw this article:
>http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
>
>"The U.S. National Security Agency knew for at least two years about a
>flaw in the way that many websites send sensitive information, now
>dubbed the Heartbleed bug, and regularly used it to gather critical
>intelligence, two people familiar with the matter said. The NSA said in
>response to a Bloomberg News article that it wasn?t aware of Heartbleed
>until the vulnerability was made public by a private security report.
>The agency?s reported decision to keep the bug secret in pursuit of
>national security interests threatens to renew the rancorous debate over
>the role of the government?s top computer experts."
>
>Thanks NSA, glad you've got our backs there.
>
>If you run a relay and you have been on one of the affected versions of
>OpenSSL, I would urge you to STRONGLY CONSIDER your relay compromised.
>Delete your keys per the recommendations and let Tor generate new ones.
>It's better to cripple the network temporarily while we come back from
>this, rather than preserving the uptime with possibly compromised keys.
>Security matters here. Please follow the best practice recommendations.
>If you run a web server, rekey your SSL certificates. Basically, if you
>were affected, consider encryption to have been bypassed and passwords
>and other sensitive information compromised. We cannot afford to take
>chances here. If the NSA knew it, you can also bet that someone else
>with a good static analyzer discovered it as well, I'll let you imagine one.
>
>Good luck out there everyone, we really need to revoke our keys if we
>were affected. Seriously, guys. It's worth it.
>
>On a lighter note, https://xkcd.com/1354/
>
>Stay safe. Live long and prosper.
>Jesse V.
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.14 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
>iQF8BAEBCgBmBQJTSImHXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
>ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxMjgyMjhENjEyODQ1OTU1NzBCMjgwRkFB
>RDk3MzY0RkMyMEJFQzgwAAoJEK2XNk/CC+yA0nIIAKj1lOXRGcwMFd39CxjnymSN
>FVzrPUa/JomCJHqW/A0xSFdxbVAZIvio6C1phuWHmiiDKhsBuBGwLNzXQMGFltaw
>BnaTO1lLCvvSbEdmXPg12hR3YqR1d5D7Xnb0iTlSfrjZ7gGDEsXoJG3pU/V/RCFo
>IOEqxfZtVcI3DdrImlwcR6gPw6ip9JlTo49w8ncy6/K4cHED2liCQ13JvWjaQzSl
>uB06eWNsNo1IhPCKkZ7gFzharhN/4kAQrytC+ZcTmIrXdPrsd1lUaVICHWK9AEon
>sciDu5lI77srXWwt77YVAKw6Jrls41N3USgvKBSrxZhfBVQlCPOmoXtTHdwbhks=
>=pmBQ
>-----END PGP SIGNATURE-----
>
>_______________________________________________
>tor-relays mailing list
>tor-relays at lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

More information about the tor-relays mailing list