Ask HN: SSL Certs need to be revoked, right?

7 pointsbodhi12y ago5 comments

So, Heartbleed. But it's not enough just to generate new certificates, right? You actually need to get the CA to revoke the old one, otherwise the (possibly stolen) original private key is still valid?

Or have I lost it?

5 comments

5 comments · 4 top-level

arcdigital12y ago· 1 in thread

When you have a CA rekey a cert, they will revoke the old one. (This doesn't apply if you are using your own CA, I'm only talking about commercial ones like Globalsign, Geotrust, Comodo, etc...)

bodhiOP12y ago

Can you tell me more? Is rekeying a common option for most registrars?

computer12y ago

Yes. If you run something sensitive, you should also consider:

- Invalidating any open sessions (i.e. cookies), since those could have been stolen.

- Force password changes for all users (since those could have been intercepted in memory)

- Change internal passwords.

glimcat12y ago

Anything that was in memory was potentially leaked in a way that can't be traced. Certs, SSH keys, user passwords, database passwords...

Oh, and if an admin logged in at any time during the window in which you were vulnerable to Heartbleed, or if any similar credential ended up in memory in any way during that period - consider yourself rooted.

Heartbleed is a "burn down the server, redeploy, restore database backups, expire all credentials" event, not just an "apt-get update, done" problem. And it hit over 2/3rds of HTTPS websites (ideally: anything with passwords, then some).

pritambaral12y ago

Yes.

You haven't lost it.

j / k navigate · click thread line to collapse