Tonight we have two presenters - 'The Heartbleed Bug' with Jack Radigan and 'The Future of UAV Drones in the Public Space' with Brian Wilson (Good Day NY story).
This month's agenda:
7:00 to 7:20 Networking
7:20 to 7:50 Introductions and Linux News
8:00 to 8:05 Nixie looks @ Ubuntu TV
8:05 to 8:20 ......from the cmd line
8:20 to 8:55 Nick's UAV chat introduces Brian Wilson
8:55 to 9:00 Coffee break - Chit Chat
9:00 -=> Heartbleed bug demo by Jack
Many of us have already been effected by the Heartbleed bug and Jack will be explaining what it is(was) and giving us a talk on it tonight.
Netcraft's site reports now make it easy to see which websites have or have not revoked their SSL certificates in response to the Heartbleed bug.
Around 17% of all trusted SSL web servers were vulnerable to the Heartbleed bug when it was publicly disclosed earlier this month. The bug made it possible to steal a server's private keys, thus allowing unauthorised parties to impersonate an affected website using its own SSL certificate. Consequently, around a quarter of the 500,000+ potentially-compromised certificates have already been reissued to date, but despite the importance of doing so, relatively few of these have also been revoked.
Some website administrators quickly responded to the Heartbleed bug by upgrading OpenSSL and issuing new SSL certificates, but issuing new certificates alone is not enough. Despite the difficulties involved in online revocation checking during a man-in-the-middle attack, the previous, possibly-compromised certificates must be revoked. Revocation checking can still be effective in some cases, especially when the revocation is included in Google's CRLSets.
For example, Yahoo had several high-profile websites which were vulnerable to the Heartbleed bug, and if the SSL certificates' private keys were compromised, they still are. Although the underlying OpenSSL vulnerability was quickly fixed on Yahoo's servers, it was not quick enough to prevent the vulnerability being exploited to reveal some of the email addresses and passwords used by Yahoo users. Yahoo has since reissued the affected certificates, and with the possibility of a key compromise, it would also have been sensible for Yahoo to revoke the old ones — but they have yet to do so.
Though we're primarily a Linux group, all operating systems are welcome (even that Wimpdows one) as our members have Macs, iPads, iPhones, and SmartPhones as well as Linux Desktops/Laptops - so we're a great Q & A resource..