The exploit has been rumoured for some time. Does it matter who the primary
actors are. They have all the private keys by now and g's/s-view/wifi/scan
has the other half; so that deals with the white-hats. All historical data
dumps can be retrospectively analysed at any time for eternity at ones
As for the code which is in the wild I enclose a graph of 3 hours traffic
from the http://filippo.io/Heartbleed/#
site which is using something like
31 machines showing ~2000 sites being tested every minute, ~360,000 over
3hours and that is from a public site; an unknown% will be blackhats.
This is catastrophic and you should believe it's not only our guys that have
it but every other *worth their salt.
InternetNZ almost became a CA in ~2004. We could have fixed this hole now
for .nz with a working revocation system. Then INZ had a new team on board
and it was ....
The ironical blowback is that our "own" might be just as threatened by this.
We just have to get on and deal with this as a priority tomorrow and for the
I am a patriot by the way,
[mailto:firstname.lastname@example.org] On Behalf Of Don Stokes
Sent: Wednesday, 9 April 2014 8:37 p.m.
Subject: Re: [nznog] Message concerning Certs
Is there any indication out there as to how widely this bug has been
exploited? I.e. if you've patched servers in the last 24 hours, how likely
is it that your certificate keys have been leaked over the last months /
Not looking for accurate numbers, just roughly where on the scale of, "this
is possible but no reports of actual use" to "all the black hats have been
doing this for years so you're screwed unless you re-issue and revoke your
certs" the exploit lies.
Also, last time I worried about this, certificate revocation was, uh,
largely unimplemented. That was a while ago. How well does it work now?
And with potentially large numbers of revoked certs?
NZNOG mailing list