I would add that some of these Certificates have the capability for instance to sign java run time applets, sign emails, and be used directly as part of a logon system and this is therefore not only a web server issue but a system wide one as once the certificate private key is known it can be used to compromise other services dependent on the users primary certificate. Also remember this is a backdoor to embedded devices and this must also be addressed forthwith. Verisign, Comodo and other major key providers should agree to regenerate all existing certificates at no charge and our government should support this to avoid any excuse by anyone that there is a reason not to regenerate. All organisations CIO's together with their CEO's must be required to make this the priority of the day and their Chairperson's should understand the risks and consequences of inaction. I could add a tweet I read about this last night "being an interesting landing", but the end is in very bad taste and that is what will happen unless those who know act immediately. Sincerely Michael Sutton +64 21 305500 -----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Dean Pemberton Sent: Wednesday, 9 April 2014 1:22 p.m. To: nznog Subject: [nznog] Heartbleed OpenSSL Vulnerability Hi All, NZITF (in conjunction with InternetNZ) have been endeavouring to raise awareness about this issue. We have compiled some information on our website, which may be of use to you and/or your clients. Please feel free to share this link as widely as you see fit. http://www.nzitf.org.nz/news.html The NZITF is treating this as an ongoing security issue with significant implications. As a result we are intending to monitor this situation and update our advice as required. We have tree basic messages for website owners: 1. Establish if your site's servers are vulnerable. 2. Patch the vulnerable servers. 3. Revoke/reissue keys and certificates. If you are vulnerable it is imperative that you do steps 2 AND 3. Not one, but both. You should also be encouraged to discuss this very important issue with your regular security consultants. If you have feedback or information please feel free to contact me so we can include it in the advice on the website. Regards, Dean _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog