OpenSSL heartbleed bug howto...
Well this is my plan for today
Update my computers, reboot, generate new ssh keys, change passwords. (Done!)
Check the servers that were with Wheezy, update them, reboot, generate new ssh keys, change passwords. The web servers were using OpenSSL 0.9.8.x so I don't need to request for new certificates, I think. (Done!)
Ask all the service providers where I have an account if they where affected; if so, if they patched their servers, and then, change passwords. (Work in progress)
Warn my users and friends about this. (Work in progress)
How can I know when a certain (third party) server is safe, if they don't issue an advice? My idea is to look at the SSL certificate issue date, but even if it is recent (from today on) I cannot be sure isn't it? And if it's old, maybe is the same situation as mine, that they were using OpenSSL 0.9.8.x and they are not affected...
What about GPG keys? Are they affected? Should I generate a new pair?
jrobb, Michael (majeSTYX), Eugenio M. Vigo likes this.
Michael (majeSTYX) shared this.
Laura there are a tool to check servers vulnerables to heartbleed exploit.Check that:
Thanks @luisgf but * It seems it's only for web servers (what about OpenLDAP, mail servers...) * I can trust if it says that the server is compromised, but not if it says that no, or that something went wrong (even if the server is ok, the certificate can be compromised and then, all the info anyway isn't it? or the certificate is only for authenticate the server, and it's not used for encryption?)
Laura Arjona Reina at 2014-04-08T08:20:37Z
Michael (majeSTYX) likes this.
