tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Tomcat Wiki] Update of "Security/Heartbleed" by SebastianBazley
Date Sun, 13 Apr 2014 13:09:15 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.

The "Security/Heartbleed" page has been changed by SebastianBazley:
https://wiki.apache.org/tomcat/Security/Heartbleed?action=diff&rev1=2&rev2=3

Comment:
Revoke certificates

   
   1. Re-key your server. This means creating a new RSA or DSA server key, creating a new
CSR for your Certificate Authority, and applying for a replacement certificate. All CAs allow
for the revocation of a server certificate due to “key compromise” which is exactly the
reason for the re-keying of your server. You should be able to obtain a replacement certificate
at no charge, though free-certificate providers may charge a fee for revocation/replacement.
  
+  1. Revoke any certificates that might have been compromised.
+ This does not guarantee that the old certificate cannot still be used in MITM attacks, as
most browsers don't check revocations in a timely fashion (if at all).
+ However it should help to catch some attacks.
+ 
  == Is there anything else I need to do? ==
  
  Yes: you need to change any password that ever traversed your HTTP server while vulnerable.
That pretty much means you have to change all passwords, and notify your users that they should
change all their passwords as well. Unfortunately, any other sensitive information that traversed
your server should be consider compromised. In many cases, there is nothing to be done unless
that information can be changed (credit card numbers, account numbers, passwords etc.).

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message