[tor-relays] NSA knew about Heartbleed
papasierra88 at gmail.com
Sat Apr 12 08:16:29 UTC 2014
Could this be a part of what the leaked documents were referring to as
"groundbreaking capabilities" a few months back?
On Sat, Apr 12, 2014 at 3:32 AM, Jesse Victors <jvictors at jessevictors.com>wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> Saw this article:
> "The U.S. National Security Agency knew for at least two years about a
> flaw in the way that many websites send sensitive information, now
> dubbed the Heartbleed bug, and regularly used it to gather critical
> intelligence, two people familiar with the matter said. The NSA said in
> response to a Bloomberg News article that it wasn?t aware of Heartbleed
> until the vulnerability was made public by a private security report.
> The agency?s reported decision to keep the bug secret in pursuit of
> national security interests threatens to renew the rancorous debate over
> the role of the government?s top computer experts."
> Thanks NSA, glad you've got our backs there.
> If you run a relay and you have been on one of the affected versions of
> OpenSSL, I would urge you to STRONGLY CONSIDER your relay compromised.
> Delete your keys per the recommendations and let Tor generate new ones.
> It's better to cripple the network temporarily while we come back from
> this, rather than preserving the uptime with possibly compromised keys.
> Security matters here. Please follow the best practice recommendations.
> If you run a web server, rekey your SSL certificates. Basically, if you
> were affected, consider encryption to have been bypassed and passwords
> and other sensitive information compromised. We cannot afford to take
> chances here. If the NSA knew it, you can also bet that someone else
> with a good static analyzer discovered it as well, I'll let you imagine
> Good luck out there everyone, we really need to revoke our keys if we
> were affected. Seriously, guys. It's worth it.
> On a lighter note, https://xkcd.com/1354/
> Stay safe. Live long and prosper.
> Jesse V.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> -----END PGP SIGNATURE-----
> tor-relays mailing list
> tor-relays at lists.torproject.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tor-relays