Hi Dan, > AFAIK OpenSSH is not affected by the OpenSSL bug. While OpenSSH does use > OpenSSL for some key-generation functions, it doesn't use the TLS > protocol or the TLS heartbeat extension.
Yeah. But I'm not taking chances on this. Also, I laid off regeneration of longer SSH key-pairs for quiet a bit due to the required hassles. So this time was as good as any to get it finally sorted. > Re-keying SSL certs is a *very* good idea and I'm doing the same for > myself and all my customers keys. It's one hell of a pain though. It sure is. > The other thing I want to point out is session keys. I'd highly advise > resetting all session keys and forcing everyone to log back in again. Good point. As far as the BlueOnyx goes that's in the clear, though. The GUI session keys expire after 60 minutes of inactivity. But it all depends on the application. Other pages that use session keys might not expire them at all. Which is a security sin in first place, tbh. > I bet Apple are feeling smug right now Ah, I wouldn't be so sure of that. Android isn't off much better there either. There are some legacy Android versions that won't get patched unless the respective vendors get off their collective behinds and Android also had their own SSL-gate with apps not following the established procedures of verifying SSL certs. Then there is the huge quantity of affected routers and other "black box" devices affected by this SSL issue in one form or other. It's pretty sad that so much of the nets security rests on such a piece of crap as OpenSSL. I think Google is feeling pretty smug right now and rightfully so. AFAIK Google developers found this bug. Now think about this: I'm wondering if it's really a clever idea to to have Eric Rescorla working on the development of the TLS protocol. After all, that's the guy who's responsible for the NSA backdoor in the Dual EC DRBG algorithm. See: http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331 https://tools.ietf.org/html/draft-rescorla-tls13-new-flows-01 He's also the one who had committed that crappy piece of code that did lead to this issue to begin with. While CVE-2014-0160 looks like a bug and smells like a bug, I wouldn't wonder if it is a little more than. If so, then the Google guys just crashed the NSA's party. Payback is a bitch. :-) -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx