[Box Backup] Advice for users of Debian-derived systems affected by the OpenSSL fiasco -- assume compromise of all data
Mon, 19 May 2008 13:12:34 +0100
>> There are several scenarios that need to be taken into consideration:
> Just as a question, I have a number of clients who use Ubuntu Dapper
> 6.06 LTS who were unaffected as I understand by the SSL issue.
> All the .raw keys were generated on these hosts - so I guess these
> are ok, however the CA was an affected server - so this being used
> to create the serverCA.pem and sign all the clients csr.pem files
> was an issue.
> What I have done in this instance is update the SSL on the affected
> server, recreate the CA and re-sign all existing clients csr.pem
> files and re-issue a new serverCA.pem ..
> Is this enough ?
> I am taking the assumption as no-one but me has access to the store,
> and I create and admin all certs, setup the clients etc - that the
> risk of someone accessing the data is minimal ?
> In addition as the .raw keys were never an issue, the only weakness
> in this instance was the actual store allowing weak SSL connections ?
> I am really hoping to avoid re-sync'ing all the data, as it would
> take days ...
P.S I should also add the store was running an affected Distro ...