[Openstack-security] FW: OpenSSL Heartblead (CVE-2014-0160)
Thierry Carrez
thierry at openstack.org
Wed Apr 9 10:38:55 UTC 2014
Jeffrey Walton wrote:
> On Tue, Apr 8, 2014 at 3:32 PM, Clark, Robert Graham
> <robert.clark at hp.com> wrote:
>> Thanks Malini, excellent summary.
>>
>> It’s worth re-iterating this point from the email below: Any secrets that you have previously communicated, API keys, passwords, credentials should be considered compromised.
>>
>> A second important point that isn’t being that widely discussed is the possibility that certificates and keys have been stolen and can be used to impersonate TLS servers. Now these certificates can be revoked, but that doesn’t buy you much outside of the browser, support for CRL’s is spotty in system crypto APIs (and you almost certainly haven’t downloaded them) and OCSP is basically non-existent for most client libraries.
>>
> +1
>
> Companies like Google will be OK in the short term because they use
> those 30-day certs in many places (while re-certifying the same public
> key). Others, not so sure....
Should we consider issuing an OSSN describing steps for heartbleed
mitigation in OpenStack deployments ? I know it's not very different
from other affected SSL services, but I've already answered that
question twice on MLs and people are apparently very confused about it
so it looks like something that could use a reference official answer :)
--
Thierry Carrez (ttx)
More information about the Openstack-security
mailing list