[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Sat, Apr 12, 2014 at 05:12:07PM +0100, bad apple wrote: > Whilst *possible*, retrieving SSL private keys seems to be extremely > difficult and Cloudflare themselves say that unless you just restarted > your HTTPD, probably impossible. Well, before they put up the challenge, they said they were pretty certain private keys couldn't be discovered full stop. So I'm not sure is "probably impossible" is a good enough reason not to revoke your certificate even if you haven't rebooted your server in a long while. (And even if you believe IDS would have detected anyone looking for it.) > The OpenSSL devs should be taken out and shot as far as I am concerned. I know you don't mean this literally, but really? Code is written by people. People make mistakes. Sometimes bad ones. And sometimes several bad mistakes add up to something Very Bad, like Heartbleed. The code should have been audited properly. I don't think we can blame the devs for this not happening. And a silver lining to this mess is that people will be far more critical of code and demand proper audits. Like the one happening to TrueCrypt at the moment. Martijn. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq