[Ach] heartbleed -- some background...
L. Aaron Kaplan
aaron at lo-res.org
Fri Apr 11 12:29:32 CEST 2014
On Apr 11, 2014, at 12:17 PM, ianG <iang at iang.org> wrote:
> On 11/04/2014 06:11 am, L. Aaron Kaplan wrote:
>
>> I'd also like to propose to have a small section on heartbleed... at *least* on the web page.
>
>
> You don't get better crypto if you've got the wrong versions of OpenSSL.
> So maybe the answer is to just add that into the sections on OpenSSL,
> "avoid versions x-y and here's how to check."
Right. Okay.
So... maybe the best way to formulate this is something along the lines:
disclaimer
============
All crypto libraries have bugs and vulnerabilities.
We advise the gentle reader to check the respective websites for known vulnerabilities before deployments.
Here is a list of URLs to check for vulnerabilities:
openssl: https://www.openssl.org/news/
gnutls: http://www.gnutls.org/security.html
...
Better?
>
>> Hopefully this heartbleeding will stop soon and I can get around to working more on bettercrypto again.
>
> It could also be on a corner of the home page which is a blog / latest
> news.
>
Agreed.
However, I think it should be there. It shows that the project did not stop after the first public draft version.
> iang
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20140411/fb02ed04/attachment.sig>
More information about the Ach
mailing list