Resultados 1 a 2 de 2
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    14,981

    [EN] Akamai foi avisada sobre Heartbleed antes de se tornar público

    * How did Akamai fix this so quickly, and why didn't you tell your customers in advance?

    As a courtesy to us, we were notified shortly before public disclosure, which gave us enough time to patch our systems. We were asked not to publicly disclose the vulnerability, as doing so would have shortened the window of opportunity for others to fix their systems. Once we were notified, our incident management process governed patching, testing, and deploying the fix to our network safely.
    https://blogs.akamai.com/2014/04/heartbleed-update.html


    E pisou na bola na correção do bug.

    Over the weekend, an independent security researcher contacted Akamai about some defects in the software we use for memory allocation around SSL keys. We discussed Friday how we believed this had provided our SSL keys with protection against Heartbleed and had contributed the code back to the community. The code that we had contributed back was, as we noted, not a full patch, but would be a starting point for improving the openssl codebase.

    In short: we had a bug. An RSA key has 6 critical values; our code would only attempt to protect 3 parts of the secret key, but does not protect 3 others. In particular, we only try to protect d, p, and q, but not d mod (p-1), d mod (q-1), or q^{-1} mod p. These intermediate extra values (the Chinese Remainder Theorem, or CRT, values) are calculated at key-generation time as a performance improvement. As the CRT values were not stored in the secure memory area, the possibility exists that these critical values for the SSL keys could have been exposed to an adversary exploiting the Heartbleed vulnerability. Given any CRT value, it is possible to calculate all 6 critical values.

    As a result, we have begun the process of rotating all customer SSL keys/certificates. Some of these certificates will quickly rotate; some require extra validation with the certificate authorities and may take longer.

    In parallel, we are evaluating the other claims made by the researcher, to understand what actions we can take to improve our customer protection.
    https://blogs.akamai.com/2014/04/hea...update-v3.html

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    14,981
    Ainda não foi explicada a participação do Google nesse projeto Caracu ...



    O Yahoo não foi avisado? A NSA também só ficou sabendo pelos jornais. Sorry for the inconvenience!
    Última edição por 5ms; 15-04-2014 às 21:51.

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens
  •