OpenSSL
Niels Dettenbach
nd at syndicat.com
Tue Apr 8 05:46:27 PDT 2014
Am Dienstag, 8. April 2014, 22:37:53 schrieb Joshua Root:
> > ...as far as i informed about the current security notice / patch in
> > OpenSSH (!) it makes no sense to generate new host or client keys. It
> > could make sense to delete the known_hosts as the sec flaw could make it
> > possible in curcumstances that a new client connects to a DNS faked host
> > when not verifying the host key fingerprint during the host verifying
> > process.
> According to heartbleed.com, any data that was in the memory of the
> process using openssl could have been revealed to an attacker. That
> would include private keys.
...sorry, i've scrumbled the security notice with one about OpenSSH from
Debian and others yesterday (and thought this was a swap here).
Yes, theoretically any server key might be to understand as insecure if
handled publically with the regarding openssl versions, but in practice it
depends from several further parameters how "easy" it was for an attacker (til
now) to get a full secret key out of a system and how good an (potental)
attacker knows the system setup / software (i.e. a public available binary
system plus software distribution).
We have to wait for more details to get in a position to calculate the risk
for a particular system in practice in more detail.
Anyhow: where server secret keys could be changed more easily (i.e. SSH host
keys) this should be done.
hth
cheerioh,
Niels.
--
---
Niels Dettenbach
Syndicat IT & Internet
http://www.syndicat.com
PGP: https://syndicat.com/pub_key.asc
---
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.macosforge.org/pipermail/macports-users/attachments/20140408/1c3c524d/attachment.sig>
More information about the macports-users
mailing list