Addressing the OpenSSL ("Heartbleed") vulnerability
As you are aware, OpenSSL versions from 1.0.1 through 1.0.1f have a serious vulnerability that could expose server encryption keys used for SSL and TLS protected communications, as well as any confidential data, including passwords, being communicated to and from vulnerable servers.
Thus, it is critical that anyone who manages a web server that uses the OpenSSL library ensures that the following actions are taken:
- Ensure that OpenSSL is upgraded to the latest version 1.0.1g.
- After the software is upgraded, have any certificates installed on that server revoked and reissued, since the encryption keys may be compromised.
Note - Anyone with SDP issued certificates (those from InCommon Federation), who wishes to renew their certificates, should generate a new Certificate Signing Request (CSR) asking SDP to issue a new certificate using the new CSR and to revoke the old certificate. The requestor would just need to submit an OPM ticket to SDP-Incoming containing the CSR.
Those with self-signed certificates or other certificates not obtained through SDP can replace them with SDP issued certificates by using the same CSR process described above.
- Additionally, since an attacker, after obtaining server encryption keys to a system, could uncover IDs and passwords that were transmitted to that system, please encourage your constituents to change their passwords after your servers have been updated.
Please note that any external services you use (e.g., online banking, shopping sites, etc.) may also have been affected by the vulnerability, so for your own protection, please consider changing passwords on those sites as well, after the site owners indicate that issue has been addressed.