[Linuxtrent] Re: HeartBleed Bug
- From: Roberto Resoli <roberto@xxxxxxxxxxxxxx>
- To: linuxtrent@xxxxxxxxxxxxx,Marco Agostini <comunelevico@xxxxxxxxx>
- Date: Sat, 12 Apr 2014 19:48:27 +0200
On 12 aprile 2014 14:17:40 CEST, Marco Agostini <comunelevico@xxxxxxxxx> wrote:
>Il 12 aprile 2014 12:28, Roberto Resoli <roberto@xxxxxxxxxxxxxx> ha
>scritto:
>> Il 11/04/2014 22:08, Roberto Resoli ha scritto:
>>
>> Di breve durata, la "heartbleed challenge" è già finita, come
>riportato
>> da Tiziano in altro messaggio:
>>
>> https://www.cloudflarechallenge.com/heartbleed
>>
>il mio povero inglese "scantina" ... non ho capito cosa hanno fatto
>con questa "heartbleed challenge"
La sfida consisteva nello scoprire la chiave privata di un server con la
configurazione indicata nel post utilizzando l'exploit in oggetto:
nginx-1.5.13 linked against OpenSSL 1.0.1.f on Ubuntu 13.10 x86_64
Anche sulla pagina principale
https://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed
compare questo avviso:
---
Below is what we thought as of 12:27pm UTC. To verify our belief we crowd
sourced the investigation. It turns out we were wrong. While it takes effort,
it is possible to extract private SSL keys. The challenge was solved by
Software Engineer Fedor Indutny and Ilkka Mattila at NCSC-FI roughly 9 hours
after the challenge was first published. Fedor sent 2.5 million requests over
the course of the day and Ilkka sent around 100K requests. Our recommendation
based on this finding is that everyone reissue and revoke their private keys.
CloudFlare has accelerated this effort on behalf of the customers whose SSL
keys we manage.
---
--
Per iscriversi (o disiscriversi), basta spedire un messaggio con OGGETTO
"subscribe" (o "unsubscribe") a mailto:linuxtrent-request@xxxxxxxxxxxxx
Other related posts:
