[tor-relays] NSA knew about Heartbleed
Paris S
papasierra88 at gmail.com
Sat Apr 12 08:16:29 UTC 2014
Interesting.
Could this be a part of what the leaked documents were referring to as
"groundbreaking capabilities" a few months back?
http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=4&_r=1&hp
https://www.eff.org/document/2013-09-05-guard-bullrun
On Sat, Apr 12, 2014 at 3:32 AM, Jesse Victors <jvictors at jessevictors.com>wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
> Saw this article:
>
> http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
>
> "The U.S. National Security Agency knew for at least two years about a
> flaw in the way that many websites send sensitive information, now
> dubbed the Heartbleed bug, and regularly used it to gather critical
> intelligence, two people familiar with the matter said. The NSA said in
> response to a Bloomberg News article that it wasn?t aware of Heartbleed
> until the vulnerability was made public by a private security report.
> The agency?s reported decision to keep the bug secret in pursuit of
> national security interests threatens to renew the rancorous debate over
> the role of the government?s top computer experts."
>
> Thanks NSA, glad you've got our backs there.
>
> If you run a relay and you have been on one of the affected versions of
> OpenSSL, I would urge you to STRONGLY CONSIDER your relay compromised.
> Delete your keys per the recommendations and let Tor generate new ones.
> It's better to cripple the network temporarily while we come back from
> this, rather than preserving the uptime with possibly compromised keys.
> Security matters here. Please follow the best practice recommendations.
> If you run a web server, rekey your SSL certificates. Basically, if you
> were affected, consider encryption to have been bypassed and passwords
> and other sensitive information compromised. We cannot afford to take
> chances here. If the NSA knew it, you can also bet that someone else
> with a good static analyzer discovered it as well, I'll let you imagine
> one.
>
> Good luck out there everyone, we really need to revoke our keys if we
> were affected. Seriously, guys. It's worth it.
>
> On a lighter note, https://xkcd.com/1354/
>
> Stay safe. Live long and prosper.
> Jesse V.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQF8BAEBCgBmBQJTSImHXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
> ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxMjgyMjhENjEyODQ1OTU1NzBCMjgwRkFB
> RDk3MzY0RkMyMEJFQzgwAAoJEK2XNk/CC+yA0nIIAKj1lOXRGcwMFd39CxjnymSN
> FVzrPUa/JomCJHqW/A0xSFdxbVAZIvio6C1phuWHmiiDKhsBuBGwLNzXQMGFltaw
> BnaTO1lLCvvSbEdmXPg12hR3YqR1d5D7Xnb0iTlSfrjZ7gGDEsXoJG3pU/V/RCFo
> IOEqxfZtVcI3DdrImlwcR6gPw6ip9JlTo49w8ncy6/K4cHED2liCQ13JvWjaQzSl
> uB06eWNsNo1IhPCKkZ7gFzharhN/4kAQrytC+ZcTmIrXdPrsd1lUaVICHWK9AEon
> sciDu5lI77srXWwt77YVAKw6Jrls41N3USgvKBSrxZhfBVQlCPOmoXtTHdwbhks=
> =pmBQ
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20140412/32ac82bb/attachment.html>
More information about the tor-relays
mailing list