[Openstack-security] FW: OpenSSL Heartblead (CVE-2014-0160)
Jeffrey Walton
noloader at gmail.com
Tue Apr 8 20:07:19 UTC 2014
On Tue, Apr 8, 2014 at 3:32 PM, Clark, Robert Graham
<robert.clark at hp.com> wrote:
> Thanks Malini, excellent summary.
>
> It’s worth re-iterating this point from the email below: Any secrets that you have previously communicated, API keys, passwords, credentials should be considered compromised.
>
> A second important point that isn’t being that widely discussed is the possibility that certificates and keys have been stolen and can be used to impersonate TLS servers. Now these certificates can be revoked, but that doesn’t buy you much outside of the browser, support for CRL’s is spotty in system crypto APIs (and you almost certainly haven’t downloaded them) and OCSP is basically non-existent for most client libraries.
>
+1
Companies like Google will be OK in the short term because they use
those 30-day certs in many places (while re-certifying the same public
key). Others, not so sure....
Jeff
More information about the Openstack-security
mailing list