[Box Backup] Advice for users of Debian-derived systems affected by the OpenSSL fiasco -- assume compromise of all data

Matt Brown boxbackup@fluffy.co.uk
Mon, 19 May 2008 13:12:34 +0100


> Hi,
>> There are several scenarios that need to be taken into consideration:
> Just as a question, I have a number of clients who use Ubuntu Dapper  
> 6.06 LTS who were unaffected as I understand by the SSL issue.
> All the .raw keys were generated on these hosts - so I guess these  
> are ok, however the CA was an affected server - so this being used  
> to create the serverCA.pem and sign all the clients csr.pem files  
> was an issue.
> What I have done in this instance is update the SSL on the affected  
> server, recreate the CA and re-sign all existing clients csr.pem  
> files and re-issue a new serverCA.pem ..
> Is this enough ?
> I am taking the assumption as no-one but me has access to the store,  
> and I create and admin all certs, setup the clients etc - that the  
> risk of someone accessing the data is minimal ?
> In addition as the .raw keys were never an issue, the only weakness  
> in this instance was the actual store allowing weak SSL connections ?
> I am really hoping to avoid re-sync'ing all the data, as it would  
> take days ...
> Regards
> Matt

P.S I should also add the store was running an affected Distro ...