tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Tomcat Wiki] Update of "Security/Heartbleed" by SebastianBazley
Date Sun, 13 Apr 2014 21:38:07 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.

The "Security/Heartbleed" page has been changed by SebastianBazley:
https://wiki.apache.org/tomcat/Security/Heartbleed?action=diff&rev1=5&rev2=6

Comment:
Mention wild-card certificates

  
  == Is there anything else I need to do? ==
  
+ Yes: you need to change any password that ever traversed any HTTP server that was using
the potentially compromised certificate. If the certificate was a wildcard certificate, then
a single vulnerable server would be sufficient to compromise the certificate and thus the
traffic on all other servers using the same certificate.
+ 
- Yes: you need to change any password that ever traversed your HTTP server while vulnerable.
That pretty much means you have to change all passwords, and notify your users that they should
change all their passwords as well. Unfortunately, any other sensitive information that traversed
your server should be consider compromised. In many cases, there is nothing to be done unless
that information can be changed (credit card numbers, account numbers, passwords etc.).
+ That pretty much means you have to change all passwords, and notify your users that they
should change all their passwords as well. Unfortunately, any other sensitive information
that traversed your server should be consider compromised. In many cases, there is nothing
to be done unless that information can be changed (credit card numbers, account numbers, passwords
etc.).
  
  == What about servers for services that I use personally? ==
  

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message