There is no way to know for sure. The exploit leaves no trace unless you were looking for it with something like very specific network detection signatures.�
As I've said before, there are 3 required steps.�
Identify effected equipment.�
This could be anything linking to OpenSSL. Web servers, mail servers, VPN servers even routers which use TLS to secure configuration sessions.�
Patch effected equipment.�
All of it. Do it now or turn it off.�
Revoke and reissue all key material and Certs.�
If you use PKI in anger then key/cert rollovers should have been part of an emergency plan anyway. You've all got emergency key rollover procedures�in place for DNSSEC as well right :)
Do all the steps.�
It's like people who try and bargain or rationalise�their way out of rebuilding�servers they know have been compromised. We all know its best practice, just do it.�
Dean�
On Wednesday, April 9, 2014, Don Stokes <
don@daedalus.co.nz> wrote:
Is there any indication out there as to how widely this bug has been
exploited? I.e. if you've patched servers in the last 24 hours, how
likely is it that your certificate keys have been leaked over the last
months / year?
Not looking for accurate numbers, just roughly where on the scale of,
"this is possible but no reports of actual use" to "all the black hats
have been doing this for years so you're screwed unless you re-issue and
revoke your certs" the exploit lies.
Also, last time I worried about this, certificate revocation was, uh,
largely unimplemented. That was a while ago. How well does it work now?
And with potentially large numbers of revoked certs?
-- don
_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog