Jump to content

Heartbleed OpenSSL


Recommended Posts

Posted

Nice conversation about this, I am in the process of currently re-issuing all certificates I purchased!!!

 

Caelum IIS cant dodge the bullet IF THE SAME CERT is used on Apahce!

Caelum likes this
Posted

You don't need to re-issue your cert, you just need to update your SSL version. Also, I'm actually surprised you're purchasing a cert, seeing as how they're easily faked. :P

Posted

I don't understand this, does it affect me?

 

http://xkcd.com/1354/ This might help to explain it a little bit. It is a bug that has the potential of leaking all sorts of crucial and personal information, including passwords. Just to be cautious, you may wish to change your passwords, especially for popular sites that were most effected (a list here) and where you may have reused the same common password. This doesn't mean that your personal information was for sure confirmed leaked. It just means that it's possible, and you would never know for certain because the nature of this bug leaves zero evidence behind. It's better to be safe than sorry.

 

Chrome users may also want to enable checking for server certificate revocation, as it is not enabled by default.

 

 

 

EDIT:

 

EDIT: Though there is also this: http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed

 

But it's definitely a good idea to reissue your certs if at all possible. We reissued all of ours.

 

https://www.cloudflarechallenge.com/heartbleed Private keys have successfully been extracted since their (and your) post. So it's definitely good to revoke and reissue them where possible. =P

Raz0r and Caelum like this
Posted

You don't need to re-issue your cert, you just need to update your SSL version. Also, I'm actually surprised you're purchasing a cert, seeing as how they're easily faked. :P

 

Re-issue is necessary for complete solution.

SSLs are faked? you mean self-signed? Or do you mean ones from SSL Providers are faked?

Posted

I suppose it doesn't hurt, but it seems a bit excessive. Anyway, SSL certs are quite often faked/generated by people. Only super legit agencies (from what I've heard) actually purchase certs (dey so expensive)

Posted

I suppose it doesn't hurt, but it seems a bit excessive. Anyway, SSL certs are quite often faked/generated by people. Only super legit agencies (from what I've heard) actually purchase certs (dey so expensive)

 

Normal ones, not business grade, for one website usually <£150 a year if your looking right

 

For the green bar that's excessive but worth it for big corporations, £500 a year, and for the true big heads like Google, BECOME THEIR OWN CertAuthroity!

 

If your business defo worth it, or making some kind of revenue!! For other purposes, I would agree Eez

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...