Title
Invitation to Re-Configure/Transition SSL/TLS Server Settings learned from measures taken with the Open SSL Heartbleed Bug
Abstract
An announcement was made in April 2014 which revealed problems with
boundary checks for processing heartbeat messages, which makes memory
space of machines running Open SSL to be obtainable by a third party.
The need for immediate action was recognised as two years have passed
since the first enbug, and logs do not remain when the memory space of a device is stolen.
In experiments through an organised competition, it has been
demonstrated that private keys can be created by accessing large volumes
of memory information of a device. To address this situation, the
recommendation has been made to recreate the RAS key pairs, which lead
to many certificates to be revocated and reissued.
This presentation examines a few points taking this case as the starting
point: It covers the myth of "withered technologies are safe" in using
applications and protocols, followed by compromised cryptographic algorithms and the use of SSL/TLS today, as well as Forward Secrecy which has caught attention as a result of series of media coverage on NSA's wiretapping.
As a wrap up, we welcome feedbacks from perspectives of Transition engineering, by engineers in the field.
Presenter
Yuji SUGA(Internet Initiative Japan Inc.)