3
Does the Heartbleed Bug in OpenSSL affect ALL SSL certs, regardless of where I purchased or if I self-cert?
For example, if I bought an SSL certificate from GoDaddy and set this up on my server following their Apache tutorial (http://support.godaddy.com/help/article/5238/installing-an-ssl-certificate-in-apache), is this vulnerable to being exploited via Heartbleed?
bwright
Posted 2014-04-09T16:21:38.127
Reputation: 153
7
The bug has no relation to certificates themselves. The bug is in the implementation of OpenSSL library, which makes it possible for malicious attacker to retrieve the private key of the server and other confidential information.
With the private key, the attacker can impersonate your web site, and possibly eavesdrop the traffic between your server and the client
So, if your server had a vulnerable version of the OpenSSL library, your private key might have been leaked and it is safest to regenerate the private key and get new corresponding certificates.
Tero Kilkanen
Posted 2014-04-09T16:21:38.127
Reputation: 1 405
1So, assuming one had a vulnerable version of OpenSSL previously and bought a cert from GoDaddy, the ideal method of re-securing one's server would be to install the updated version of Open SSL, then resign & reinstall the certificate? – bwright – 2014-04-09T16:32:30.970
2Yes, regenerating the private key and getting a corresponding certificate is the safest thing to do after fixing the vulnerability. – Tero Kilkanen – 2014-04-09T16:41:04.880
1Yes; revoke the current certificate the issue a new one – Ramhound – 2014-04-09T16:42:15.553
1Revocation is also key step. Without revocation, if an attacker has attacked your server, he can continue to use the cert he stole to impersonate your site. – heavyd – 2014-04-09T16:54:06.750
1If the certificate was used in a situation where it was used before OpenSSL was patched then consider the certificate to be useless and revoke it. – Ramhound – 2014-04-09T16:39:51.920