Mittwoch, 23. April 2014

Heartbleed revisited

So, now the Heartbleed Bug is some days old and the work is nearly done.

So letst talk a bit about the history.
  1. on Sun, 1 Jan 2012 00:59:57 +0200 somebody committed an heartbeat extension to the openssl git repository.
  2. on last sunday/monday google found a bug within these extension, or at least openssl.org finally reported about the bug.
  3. On late monday and early tuesday we had a tiny little website which could identify if your server is affected by these bug
  4. Some hours later a golang code was available , so we can check even more systems
  5. Finally a nmap plugin was available, and now we can scan the full ip range and every port
  6. Most SSL ca's were unable to handle the re-certification (or re-signing) of the certs via api, a solution was available on early thursday.
So what have we done within these lovely days (and what you should have done too)?
  1. We started to close the ssl vulnerability by patching all our systems
  2. We recreated our private ssl keys and recertificated these
  3. We started to call the Bug "Fingerbleed"-Bug
  4. We exchanged all of our certs
  5. We talked to some customers and helped them identify the bug and provided solutions
  6. We changed all our passwords

So finally i guess we can say it with Atkins lyrics

If you're goin' through hell keep on going
Don't slow down, if you're scared don't show it
You might get out before the devil even knows you're there