Monday, information about a flaw in OpenSSL was released to the public.  This flaw allowed an attacker to grab a random 64k segment of memory contents from the server exploited with this flaw.  With enough attempts, it is possible they could obtain the private key rendering the encryption ineffective.

I became aware of this Tuesday evening thanks to notes from three of our customers and installed the necessary upgrades to OpenSSL to plug this hole.

However, because a small possibility existed that someone may have obtained the private keys in that period of time, I generated new private keys and CSR’s and asked Comodo to re-issue new certificates which they were willing to do at no charge.

These new encryption certificates were installed today.  If you use web mail or the web ssh client, there is a very remote possibility that your password information could have been obtained.

To change your password, ssh to eskimo.com (the old SunOS shell server), and from the command prompt (if you are using esh for a shell, use ‘!’ to get to the command prompt), type “passwd“. (Don’t type the quote marks).  It will prompt first for your existing password and then the new password twice.

Even though this exploit has only been known to the public since Monday, and we closed the hole Tuesday, it has existed in the code for approximately two years.  My concern is that NSA, KGB, and other such agencies probably have known about it and exploited it for several years.

The chances of a random hacker exploiting it successfully in the day it was open are much smaller since not only would they have to execute the exploit repeatedly to get the private key, then they’d have to be in a network position to intercept that encrypted traffic.

Leave a Reply