科技回声

You should not be responsible for website security if you don't understand the absolute basics of SSL certificates.<p>It would be helpful if the CA (or reseller) confirmed (dispay a warning) that you really want to reissue with the same private key and explain the implications of doing so.<p>When reissuing a certificate the default behaviour should be to revoke the old one after some specified time has elapsed - that is what reissuing is for and what distinguishes it from simply buying a new certificate.

This.<p>The problem is that many people in the industry doesn't really understand the basics. How come is there a leak of your certificate, if that's the public key you're showing to every single client that connects to your SSL enabled site?<p>I've even seen sysads advising on forums about reissuing certs after Heartbleed, but no word about the keys.

Ugh. I think it would be better if revocation covered the public key instead of the serial number. (I'll ignore CRL bandwidth costs and the questionable usefulness of revocations.)

i.e. they re-used the same CSR without realising that the CSR references the old compromised key.

The odds of this being a real issue that will affect anyone are in the tiny fractions of a percent range.

Ugh. I think it would be better if revocation covered the public key instead of the serial number. (I'll ignore CRL bandwidth costs and the questionable usefulness of revocations.)

i.e. they re-used the same CSR without realising that the CSR references the old compromised key.

The odds of this being a real issue that will affect anyone are in the tiny fractions of a percent range.

Many sites reusing Heartbleed-compromised private keys

5 条评论

Many sites reusing Heartbleed-compromised private keys

5 条评论