New revelations on NSA capabilities yesterday in the New York Times: see https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html for a jumping off point.
The bottom line seems to be: 1) don't use RC4 (we're already working toward that goal, I believe) 2) don't use the Dual_EC_DRBG PRNG (see http://crypto.stackexchange.com/questions/10189/who-uses-dual-ec-drbg)
Can someone take a look at our SSL configuration and see if we have Dual_EC_DRBG enabled? (And if so, turn it off and use a better PRNG!) --scott
ps. apparently Dual_EC_DRBG is built-in to Windows (!). A good reason not to run your security-critical servers on Windows, I guess... pps. if we're throwing stones, the Debian PRNG flaw is a big glass window.... ppps. http://blog.cryptographyengineering.com/2012/02/random-number-generation-ill... pppps. router/switch/firewall compromises have also been a big part of the NSA story. Has anyone looked at our internal network infra closely?