[Box Backup] Advice for users of Debian-derived systems affected by the OpenSSL fiasco -- assume compromise of all data

Matt Brown boxbackup@fluffy.co.uk
Mon, 19 May 2008 13:07:44 +0100


Hi,

> There are several scenarios that need to be taken into consideration:

Just as a question, I have a number of clients who use Ubuntu Dapper  
6.06 LTS who were unaffected as I understand by the SSL issue.

All the .raw keys were generated on these hosts - so I guess these are  
ok, however the CA was an affected server - so this being used to  
create the serverCA.pem and sign all the clients csr.pem files was an  
issue.

What I have done in this instance is update the SSL on the affected  
server, recreate the CA and re-sign all existing clients csr.pem files  
and re-issue a new serverCA.pem ..

Is this enough ?

I am taking the assumption as no-one but me has access to the store,  
and I create and admin all certs, setup the clients etc - that the  
risk of someone accessing the data is minimal ?

In addition as the .raw keys were never an issue, the only weakness in  
this instance was the actual store allowing weak SSL connections ?

I am really hoping to avoid re-sync'ing all the data, as it would take  
days ...

Regards

Matt