Hi all,
Well, this week has given the security world quite a shake-up as a result of the OpenSSL Heartbleed bug. I’ve got no reason to suspect my key has actually been compromised, but two things made me decide to revoke my old key and issue a new one:
- It was quite old, dating from 2011. I think I’ll be replacing them every 2~3 years from now on. (new one after two years, old one revoked a year later)
- I’ve got no way to really know if my system was penetrated or not, better to be safe than sorry.
The following is my new key (minus the UIDs, I don’t want to encourage the spam):
pub 4096R/10BDE3B7 2014-04-11 [expires: 2017-04-10] Key fingerprint = 9804 EB67 F914 61DE 967D A1B0 4DFA 1914 10BD E3B7
Right now I’m going through and changing some of my passwords, just to be on the safe side. Thankfully I use a few different passwords (I have “classes” of passwords which I use for different tasks) so those getting revealed is less of a problem than it may have been.
The other good news is that my SSH keys haven’t been compromised, I have been gradually replacing my old DSA one with new RSA ones, and hadn’t copied the private key to my server yet (although the public one was in authorized_keys). That, and my CA key used for this site, was kept on another computer, so it should be okay. I’ve generated new SSL keys just in case though.
The new GPG key is signed with my old one, you can trust that signature if you wish. Don’t trust anything signed by it after this date however.
Now, to re-train my muscle memory with these new passwords. (sigh)
Recent Comments