[Linux-aus] Post in ZDnet re: Heartbleed

[Brent Wallis]

Gidday,


On Thu, Apr 17, 2014 at 3:34 PM, Glen Turner <gdt at gdt.id.au> wrote:

> Hi Brent,
>
> > Up until that point, an exploit had not been posted nor had any proof
> been made that showed it could be done.
>
> An attacker didn't need to exploit it. They simply needed to record the
> contents of the 64KB chunk to take advantage of a future exploit.
>
>
Its probably debatable as to whether a single 64KB chunk would provide
anything useful, however, that is why I mentioned the 3 steps to mitigate
the risk:
1. Identify and Patch
2. Replace Certs
3. Change Passwords

...you are correct that a future exploit would be theoretically possible if
step 2 and 3 were not done....


Also, note that the exploit was to get a private key. There’s plenty of
> evidence that private information was more easily available.
>
>
In my last post I said that the assumption had to be made that a compromise
had already taken place ... well before any of us knew of the issue.


I view the reluctance of systems administrators to cease serving prior to
> fixing the bug as simple prioritisation of uptime (ie, revenue) over their
> user’s privacy.
>

No....the assumption had to be made that the probability of a compromise
was as near as certain as it could be, and, that it had already happened...
most likely months before.
A shut down was not going to fix that.... in this instance on the balance
of probabilities, an immediate shut down protects nothing and no one. ...
there is already blood on the floor so to speak.

Speed in taking those 3 steps is what really matters in terms of user
protection.

And please remember, some SSL enabled systems are not there just to gain
"revenue", some drive important infrastructure..

Rgds



> -glen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.linux.org.au/pipermail/linux-aus/attachments/20140417/dd316f4d/attachment.htm