On 4/8/2014 8:50 PM, Steven Schveighoffer wrote:
On Mon, 07 Apr 2014 21:36:28 -0400, Nick Sabalausky
<[email protected]> wrote:
Whelp, time for that server system upgrade I've been putting off for
far too long...
In theory, patching openSSL doesn't solve the problem, because someone
could have previously used the vulnerability to get your private key.
So technically you need to also get a new cert. This is what my
password-generation vendor (lastpass.com) is recommending:
1. Generate a new password for your most critical sites.
2. But only after they get a cert dated after today!
I don't think many people understand this aspect.
Hopefully, this vulnerability was not known by hackers before it was
announced. Even if it was, there is quite a window of opportunity for
them as the patched sites roll out.
Very good point.
Luckily for me (and yet, simultaneously embarrassing), my server's
version of openssl turned out not to be affected. Which is nice since I
*just* paid for a new cert about one week ago.
