[Ach] heartbleed -- some background...

L. Aaron Kaplan aaron at lo-res.org
Fri Apr 11 12:29:32 CEST 2014


On Apr 11, 2014, at 12:17 PM, ianG <iang at iang.org> wrote:

> On 11/04/2014 06:11 am, L. Aaron Kaplan wrote:
> 
>> I'd also like to propose to have a small section on heartbleed... at *least* on the web page.
> 
> 
> You don't get better crypto if you've got the wrong versions of OpenSSL.
> So maybe the answer is to just add that into the sections on OpenSSL,
> "avoid versions x-y and here's how to check."

Right. Okay.
So... maybe the best way to formulate this is something along the lines:

disclaimer 
============

All crypto libraries have bugs and vulnerabilities. 
We advise the gentle reader to check the respective websites for known vulnerabilities before deployments.
Here is a list of URLs to check for vulnerabilities:

 openssl: https://www.openssl.org/news/
 gnutls: http://www.gnutls.org/security.html
 ...

Better?

> 
>> Hopefully this heartbleeding will stop soon and I can get around to working more on bettercrypto again.
> 
> It could also be on a corner of the home page which is a blog / latest
> news.
> 
Agreed.

However, I think it should be there. It shows that the project did not stop after the first public draft version.


> iang
> 
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20140411/fb02ed04/attachment.sig>


More information about the Ach mailing list