Ask HN: SSL Certs need to be revoked, right?
So, Heartbleed. But it's not enough just to generate new certificates, right? You actually need to get the CA to revoke the old one, otherwise the (possibly stolen) original private key is still valid?
Or have I lost it?
5 comments
[ 2.2 ms ] story [ 20.2 ms ] threadYou haven't lost it.
- Invalidating any open sessions (i.e. cookies), since those could have been stolen.
- Force password changes for all users (since those could have been intercepted in memory)
- Change internal passwords.
Oh, and if an admin logged in at any time during the window in which you were vulnerable to Heartbleed, or if any similar credential ended up in memory in any way during that period - consider yourself rooted.
Heartbleed is a "burn down the server, redeploy, restore database backups, expire all credentials" event, not just an "apt-get update, done" problem. And it hit over 2/3rds of HTTPS websites (ideally: anything with passwords, then some).