I would add that some of these Certificates have the capability for
instance to sign java run time applets, sign emails, and be used directly as
part of a logon system and this is therefore not only a web server issue but
a system wide one as once the certificate private key is known it can be
used to compromise other services dependent on the users primary
Also remember this is a backdoor to embedded devices and this must also be
Verisign, Comodo and other major key providers should agree to regenerate
all existing certificates at no charge and our government should support
this to avoid any excuse by anyone that there is a reason not to regenerate.
All organisations CIO's together with their CEO's must be required to make
this the priority of the day and their Chairperson's should understand the
risks and consequences of inaction.
I could add a tweet I read about this last night "being an interesting
landing", but the end is in very bad taste and that is what will happen
unless those who know act immediately.
+64 21 305500
[mailto:firstname.lastname@example.org] On Behalf Of Dean Pemberton
Sent: Wednesday, 9 April 2014 1:22 p.m.
Subject: [nznog] Heartbleed OpenSSL Vulnerability
NZITF (in conjunction with InternetNZ) have been endeavouring to raise
awareness about this issue. We have compiled some information on our
website, which may be of use to you and/or your clients. Please feel free
to share this link as widely as you see fit.
The NZITF is treating this as an ongoing security issue with significant
implications. As a result we are intending to monitor this situation and
update our advice as required.
We have tree basic messages for website owners:
1. Establish if your site's servers are vulnerable.
2. Patch the vulnerable servers.
3. Revoke/reissue keys and certificates.
If you are vulnerable it is imperative that you do steps 2 AND 3. Not one,
but both. You should also be encouraged to discuss this very important
issue with your regular security consultants.
If you have feedback or information please feel free to contact me so we can
include it in the advice on the website.
NZNOG mailing list