0

OpenSSL is widely used and was affected by the Heartbleed bug for years.

A lot of services were impacted and everybody is trying to recover from this bug by updating there system, generating new certificates, revoking the old ones, and potentially rotating other credentials that could have leaked.

I guess some CA are using OpenSSL as well.

Could CA private keys have leaked due to the Heartbleed bug?

Thanks!

kunnix
  • 3
  • 2
  • 2
    This question is styled to generate discussion rather than answers; it asks for speculation and does not propose to solve an actual problem. – Michael Hampton Apr 10 '14 at 03:44
  • @MichaelHampton: Yes, the purpose was to get a better understanding of the impact of #heartbleed on Internet security. Maybe StackOverflow would be a better place for this question? – kunnix Apr 10 '14 at 05:59
  • This is not a forum, nor is SO or any other network site, so I doubt you will find anywhere on the network. – Michael Hampton Apr 10 '14 at 11:29
  • @MichaelHampton: Thanks for your guiding. I read meta and Help Center and I now understand why it is off-topic. I wasn't intending to generate discussion and I should probably have asked it differently like "Is there a technical need for a Certificate Authority to store its private key on public facing hosts?". But it still doesn't try to solve an actual problem and thus I understand it should be closed. – kunnix Apr 12 '14 at 07:28

1 Answers1

4

Could CA have been compromised by the Heartbleed bug?

Might a CA have been compromised? Maybe. But probably not.

Any CA worth its salt keeps its signing keys on separate systems from their web front-end systems which might have been vulnerable to heartbleed. Communications between these key signing systems and the "front end" systems which distribute signed certificates is very tightly-controlled and is unlikely to have been affected by this vulnerability.

EEAA
  • 108,414
  • 18
  • 172
  • 242