FYI: Roll your passwords (CVE-2014-0160 notification)
21 views
Skip to first unread message
Ryan Tucker
Apr 8, 2014, 8:54:09 AM4/8/14
to RocWiki
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings...
Summary: Change your password on RocWiki, and change your passwords
on every other site once they individually fix CVE-2014-0160 and
regenerate their private keys.
If you're in the scene, you've probably heard of this already:
http://www.openssl.org/news/secadv_20140407.txt
The impact of this on the global scale is significant, to say the least.
In short, this allows an attacker to silently recover the private key of
a server. This key can then be used to decrypt any session encrypted
against that key[1], i.e., defeat the secrecy of the encrypted sessions
without any trace.
I estimate that rocwiki.org was vulnerable to this starting in April
2013, when we moved from Ubuntu 8.04 to Ubuntu 12.04.
While rocwiki.org isn't exactly chock full of private information,
there's an implicit trust in the little padlock icon, and unfortunately
that icon has been a lie for a significant number of websites over the
past couple of years. We can only assume the worst, since there's no
way to know otherwise.
If you're super-paranoid, note that our certificate serial number should be:
1d fc 0b a1 de 8d 1f 27 69 a5 32 89 3f d0 ac d6
The old certificate is not yet on the Certificate Revocation List, but
will be as soon as I manage to explain to Namecheap what a "CRL" is.
- -rt
[1] Yes, there is Forward Secrecy, but rocwiki.org does not yet support
it. Rats. (https://www.ssllabs.com/ssltest/analyze.html?d=rocwiki.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQIcBAEBAgAGBQJTQ/E6AAoJELy1ra6kSHndKtQP/1WS6Q/bYnoqE5f5GJTfYlie
equMdyHdJu7m8jzWQuuq6+bkKMhIDDRfp0gt60emz1kE+puUaDM19zg+Kp1sK6sx
XfV/nas/DIkMDw4FWrhbspT46DCiGkJ1E8hcVpe+m3MOTbWovYeUc8fcXYOEcC0W
m9msGtlFjR+531WTd9kzRYS1PKASo3YSvq7Jcl9eBYrfozWb2AVXgsb3xNy6qZef
7DrmHOGtNnmpvnDASmnpBy68x4k59fcBiSlPcPh6ffqQwY8Mz3S4ALES94CgGImq
wgPpvXOWr9fS8M79EPiKOrboQ8uuyFRmYcKRmTj2xI7hvy4FArx+4WuVTtVz5fXb
NsUr6ehdmNu+FDtV7bj9Lqf2CqgZO/sof0SHVHafGHSRbCi13UUh7AXkxJcab5+o
heAxW+R2LNs7OxgWzQsh213vxk8tSlk3uHb4KbMznrkc1KaU8IpM5tMRdldnsz+v
ofEoeooKFk3pIXCt4K/RnOeZBm5joYf0UNAJfCSgXUMPw+2LjRiXRKmm8h6aC2eg
1OU6Gdh90y1pu0V5PPKGzjMXcnMIE7s/wwlop9jBTwGfL3DwOLRq7/VYyIQdES53
hC1w29i+NSKNOfFDioBO3WowZQpB99IPeF1a8uRNRbNnfbPhlTH5PFw8UpV2iM0Q
HkWK+CBk/Flg7DTmHlV+
=eZ8B
-----END PGP SIGNATURE-----
Hash: SHA1
Greetings...
Summary: Change your password on RocWiki, and change your passwords
on every other site once they individually fix CVE-2014-0160 and
regenerate their private keys.
If you're in the scene, you've probably heard of this already:
http://www.openssl.org/news/secadv_20140407.txt
The impact of this on the global scale is significant, to say the least.
In short, this allows an attacker to silently recover the private key of
a server. This key can then be used to decrypt any session encrypted
against that key[1], i.e., defeat the secrecy of the encrypted sessions
without any trace.
I estimate that rocwiki.org was vulnerable to this starting in April
2013, when we moved from Ubuntu 8.04 to Ubuntu 12.04.
While rocwiki.org isn't exactly chock full of private information,
there's an implicit trust in the little padlock icon, and unfortunately
that icon has been a lie for a significant number of websites over the
past couple of years. We can only assume the worst, since there's no
way to know otherwise.
If you're super-paranoid, note that our certificate serial number should be:
1d fc 0b a1 de 8d 1f 27 69 a5 32 89 3f d0 ac d6
The old certificate is not yet on the Certificate Revocation List, but
will be as soon as I manage to explain to Namecheap what a "CRL" is.
- -rt
[1] Yes, there is Forward Secrecy, but rocwiki.org does not yet support
it. Rats. (https://www.ssllabs.com/ssltest/analyze.html?d=rocwiki.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQIcBAEBAgAGBQJTQ/E6AAoJELy1ra6kSHndKtQP/1WS6Q/bYnoqE5f5GJTfYlie
equMdyHdJu7m8jzWQuuq6+bkKMhIDDRfp0gt60emz1kE+puUaDM19zg+Kp1sK6sx
XfV/nas/DIkMDw4FWrhbspT46DCiGkJ1E8hcVpe+m3MOTbWovYeUc8fcXYOEcC0W
m9msGtlFjR+531WTd9kzRYS1PKASo3YSvq7Jcl9eBYrfozWb2AVXgsb3xNy6qZef
7DrmHOGtNnmpvnDASmnpBy68x4k59fcBiSlPcPh6ffqQwY8Mz3S4ALES94CgGImq
wgPpvXOWr9fS8M79EPiKOrboQ8uuyFRmYcKRmTj2xI7hvy4FArx+4WuVTtVz5fXb
NsUr6ehdmNu+FDtV7bj9Lqf2CqgZO/sof0SHVHafGHSRbCi13UUh7AXkxJcab5+o
heAxW+R2LNs7OxgWzQsh213vxk8tSlk3uHb4KbMznrkc1KaU8IpM5tMRdldnsz+v
ofEoeooKFk3pIXCt4K/RnOeZBm5joYf0UNAJfCSgXUMPw+2LjRiXRKmm8h6aC2eg
1OU6Gdh90y1pu0V5PPKGzjMXcnMIE7s/wwlop9jBTwGfL3DwOLRq7/VYyIQdES53
hC1w29i+NSKNOfFDioBO3WowZQpB99IPeF1a8uRNRbNnfbPhlTH5PFw8UpV2iM0Q
HkWK+CBk/Flg7DTmHlV+
=eZ8B
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages