Note that these lists are not exhaustive - just the Alaskan sites that
I'm aware of.
In a related story, I am also working on compiling a list of
Alaskan-based domain names. I'll be soliciting contributions once I
get the bulk work done.
Royce
On Thu, Jun 11, 2015 at 6:21 PM, Royce Williams <royce@tycho.org> wrote:
> A semi-OT public-service announcement for Alaskan geeks, since this is
> the largest forum I'm aware of that contains them. :) It will also
> directly impact any Linux users trying to get to certain web sites,
> including some Alaskan ones. I've been doing some research into SSL
> and TLS recently, so I thought I could provide a heads-up.
>
> Today's OpenSSL annoucement here:
>
> https://www.openssl.org/news/secadv_20150611.txt
>
> ... says:
>
> "OpenSSL has added protection for TLS clients by rejecting handshakes
> with DH parameters shorter than 768 bits. This limit will be increased
> to 1024 bits in a future release."
>
> This is in response to the recently publicized Logjam vulnerability:
>
> https://weakdh.org/
>
>
> As these new OpenSSL patches ripple across the Internet, TLS to the
> following Alaska-affiliated web sites may be affected, because they
> are using 512-bit DH parameters:
>
> akaerospace.com
> akalpinelodge.com
> alaskanmalamute.org
> cityofbarrow.org
> cityofsitka.com
> denalitek.com
> g2const.com
> kbrw.org
> rt.rbcak.org
> web.akalpinelodge.com
> yakandyetialaska.com
>
>
> The list of sites using 768-bit is quite a bit larger, and while
> they're not currently affected by the OpenSSL patches, their days are
> numbered. Action in advance is likely called for. They are as
> follows:
>
> 511ride.alaska.gov
> afsy-swvmm1.asrcfederal.com
> akdesktops.bannerhealth.com
> calendars.k12northstar.org
> climate.iarc.uaf.edu
> eingang.uui-alaska.com
> filter.ideafamilies.org
> follett.nsbsd.org
> mail.k12northstar.org
> mobility.alaskaheart.com
> msggw1.asrc.com
> n-central.structured.com
> nwc-vueadmin.users.nome.uaf.edu
> p6.aicllc.com
> ps.ideafamilies.org
> ps.jsd.k12.ak.us
> ps.juneauschools.org
> ps.nwarctic.org
> pw.matsuk12.us
> pwr.asrc.com
> pwr.asrcfederal.com
> pwr.iaminupiaq.com
> remote.alaskaheart.com
> school.kgbsd.org
> smg2.asrcfederal.com
> smtp.ideafamilies.org
> solarwindsvm.asrcfederal.com
> spam1.asrcfederal.com
> sslvpn.hccontractors.net
> sslvpn.kakivik.com
> support.matsuk12.us
> tempo.arcticslope.org
> vdi.dol.alaska.gov
> webmail.k12northstar.org
> webvac.muni.org
> xtr.correct.state.ak.us
> zimbra.k12northstar.org
> zmail.k12northstar.org
>
> Even those sites running at 1024 bit are affected (though only by
> attackers at the nation-state level, as I understand it). That list
> of hostnames is even longer, and I will defer publishing that for now
> in the interest of brevity. :)
>
> If you are an admin for one of these sites, please go to the Qualys
> SSL Labs server tester to test your site to confirm the weak DH
> parameters, and find tips on how to address the issue:
>
> https://www.ssllabs.com/ssltest/
>
> If you aren't the admin for one of these sites but you know who is,
> please forward this message accordingly.
>
> I've worked with the Qualys results quite a bit, and have also tweaked
> the SSL/TLS parameters in Windows and Linux/Apache land, so if you (or
> they) have any questions, feel free to ping me.
>
> As a side note, be aware that the OpenSSL team will stop supporting
> the 0.9.8 and 1.0.0 branches of OpenSSL after December 2015. There's
> probably a lot of embedded Linux, Linux VPSes, and Linux-based
> appliances out there using these flavors of OpenSSL, so you should
> probably start hunting for them now.
>
> Royce
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Jun 11 18:24:13 2015
This archive was generated by hypermail 2.1.8 : Thu Jun 11 2015 - 18:24:13 AKDT