Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.
The "Security/Heartbleed" page has been changed by SebastianBazley: https://wiki.apache.org/tomcat/Security/Heartbleed?action=diff&rev1=2&rev2=3 Comment: Revoke certificates 1. Re-key your server. This means creating a new RSA or DSA server key, creating a new CSR for your Certificate Authority, and applying for a replacement certificate. All CAs allow for the revocation of a server certificate due to “key compromise” which is exactly the reason for the re-keying of your server. You should be able to obtain a replacement certificate at no charge, though free-certificate providers may charge a fee for revocation/replacement. + 1. Revoke any certificates that might have been compromised. + This does not guarantee that the old certificate cannot still be used in MITM attacks, as most browsers don't check revocations in a timely fashion (if at all). + However it should help to catch some attacks. + == Is there anything else I need to do? == Yes: you need to change any password that ever traversed your HTTP server while vulnerable. That pretty much means you have to change all passwords, and notify your users that they should change all their passwords as well. Unfortunately, any other sensitive information that traversed your server should be consider compromised. In many cases, there is nothing to be done unless that information can be changed (credit card numbers, account numbers, passwords etc.). --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
