On the 8th of April, the Heartbleed Bug has been made public. It's a serious programming bug in the openssl library. We've installed the Debian security updates immediately upon availability. Now, we've exchanged our https key and certificate, too.
Indymedia linksunten uses https everywhere since 2012 and we use perfect forward secrecy since the upgrade to Debian wheezy on our mayfirst server. As a consequence, a new session key is generated for every connection so that the data transferred from and to linksunten.indymedia.org cannot be decrypted after the communication has happened only by knowing the secret key even if telecommunications data retention is applied.
In principle, the Heartbleed bug rendered a theft not only of https keys but also of session keys possible. Unfortunately, for us there is no way of determing if such an attack has happened or not. Moreover, a man-in-the-middle attack can be leveraged at any time, but if the secret key is known this attack cannot be detected by comparing the fingerprints of the keys. For this reason we have generated a new https key and certificate as a precautionary measure.
The SHA1 fingerprint of our new certificate is:
80:DB:3E:66:1D:8B:BF:A1:21:A3:D8:B3:06:EB:C6:DD:F0:BD:DB:1E