[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: More on heartbeat/bleed

On Wed, Apr 16, 2014 at 12:35:23PM CEST, Joel Rees <joel.rees@gmail.com> said:
> For those who are getting excited, don't. Take the time to understand the
> whole process, and the reason certificates and cryptographic tokens should
> be rotated, and how you go about doing it. (They should be rotated anyway,
> and if you don't, well, it's time to start leaning how, and this is as good
> a reason as any.)
> Incidentally, nobody does it right yet, not even the banks. In my way of
> thinking, that's a bigger problem than being able to reach blindly into a
> server's memory.

Some do, however only ther certificate expires, not the keys...

Thus many of those who rotate the certificate just issue a new one
with existing key, just changing the dates and signing.

And that's bad.

Reply to: