OpenSSL leaks server-Keys / The Heartbleed Bug
Lukas Tribus
luky-37 at hotmail.com
Sat Apr 12 11:14:41 UTC 2014
Hi,
> Thanks for the link. On a quick read it seems their conclusion is that
> while it is *extremely* unlikely that your private key(s) was/were
> stolen using nginx, you should still re-key and revoke. While
> comforting, not really of any great practical help.
They updated the post, their initial analysis was wrong.
Also see:
http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge
> Nice that CloudFlare (and no doubt others) received significant advance
> warning while the rest of us were left vulnerable. Just sayin...
They had no choice. They couldn't notify a lot of people about this, it
would have been leaked to exploit kits and black hats before OpenSSL
provided the bugfix. That would have been a lot worse.
Regards,
Lukas
More information about the nginx
mailing list