Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How does one know which version of Openssl generated which keys/certs? It doesn't seem to say in the certificates or keys themselves, nor the index.txt file. I really can't remember which version I was using back in Dec. 2012 when I made them. By openssl.org's release dates, it was possibly openssl-1.0.1c. I really, really don't want to regenerate an entire root CA, all the keys, the requests and the certs after revolking the old ones for about a dozen services!
How does one know which version of Openssl generated which keys/certs? It doesn't seem to say in the certificates or keys themselves, nor the index.txt file. I really can't remember which version I was using back in Dec. 2012 when I made them. By openssl.org's release dates, it was possibly openssl-1.0.1c. I really, really don't want to regenerate an entire root CA, all the keys, the requests and the certs after revolking the old ones for about a dozen services!
The heartbeat issue is only for implementations using the secure stream program. Key generation was not compromised.
The reason for regenerating keys is due to servers using the vulnerable library _may_ have leaked the key information when being used. Since there is no trace of if/when the library used may have leaked key information, the safe bet is to regenerate keys in case someone may have used the heartbeat vector and copied private key information from an existing session.
Again - it has nothing to do with what library was used to generate keys - only when keys were used by the vulnerable library.
I got an email today from Dynadot about Heartbleed and they urged me to change my password. I only have my domain names there and no website hosting; do I really need to create a new password?
It's relevant to anyone who is using https on apache that has a vulnerable versions of OpenSSL.
There are numerous sites available that can test if your server is vulnerable.
If it is then you will need to patch appropriately, have new SSL certs issued by your provider and have any users that authenticated to the website change their passwords.
I think the best thing to do is wait until they ask you to change the password, that is after they have fixed the vulnerability. Changing your password before they fix the vulnerability is worse than keeping your current one.
Basically, users should not rush into anything.. It's the sysadmins that should rush to implement the fix.. Come to think about it, considering the certificate key is vulnerable, phishing scams are also possible until the certificate has been revoked.. So not rushing does make sense..
I think it's best to wait until the service asks you to change your password (for example, I'm a volunteer supporter in an online game.. Sure enough, yesterday all volunteers and employees found themselfs with expired passwords and a request to change them) .. That's basically what every service affected by this should do, I think
Altough, keep in mind that while this is a very important update and very critical exploit, people would have started noticing strange logins from different places.. It's also very unlikely to get compromised on systems that have double authentication if your logins are from a different computer or from different countries or regions... Even if your password is found, they still couldn't get passed the second step of auth..
Basically, while this could have been exploited in the silence to gather scattered data (and of that we can't be sure if it was or not).. But it's very unlikely that it was not exploited on large scale without trying to compromise authentication and leaving traces..
Also, and this is a definite don't do it is to click on links from received e-mails that asks you to change the password... Like I've mentioned above, phishing scams are possible right now
7pm on Dec 31st - I imagine not many eyes on it at that time or the next day.
If I wanted to hide a vulnerability in a system, that's the time I would do it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.