There is no way to know for sure. The exploit leaves no trace unless you
were looking for it with something like very specific network detection
signatures.
As I've said before, there are 3 required steps.
Identify effected equipment.
This could be anything linking to OpenSSL. Web servers, mail servers, VPN
servers even routers which use TLS to secure configuration sessions.
Patch effected equipment.
All of it. Do it now or turn it off.
Revoke and reissue all key material and Certs.
If you use PKI in anger then key/cert rollovers should have been part of an
emergency plan anyway. You've all got emergency key rollover procedures in
place for DNSSEC as well right :)
Do all the steps.
It's like people who try and bargain or rationalise their way out of
rebuilding servers they know have been compromised. We all know its best
practice, just do it.
Dean
On Wednesday, April 9, 2014, Don Stokes
Is there any indication out there as to how widely this bug has been exploited? I.e. if you've patched servers in the last 24 hours, how likely is it that your certificate keys have been leaked over the last months / year?
Not looking for accurate numbers, just roughly where on the scale of, "this is possible but no reports of actual use" to "all the black hats have been doing this for years so you're screwed unless you re-issue and revoke your certs" the exploit lies.
Also, last time I worried about this, certificate revocation was, uh, largely unimplemented. That was a while ago. How well does it work now? And with potentially large numbers of revoked certs?
-- don
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz javascript:; http://list.waikato.ac.nz/mailman/listinfo/nznog