Heartbleed Response Announcement
April 9, 2014
Major Security Vulnerability Impacts Majority of Web
Ever since first learning of the threats posed by a newly uncovered vulnerability in OpenSSL (the tools and protocols used to secure and encrypt web traffic), the team at Lyconic has been working hard to protect Inteliguide & Patrolguide from exploitation.
We've already applied all the patches and suggested fixes to ensure our services are not vulnerable, but that doesn't mean that we're done dealing with this threat.
We want to take every precaution possible and every suggested countermeasure no matter how improbable in order to fully ensure the security and stability of our services. That's why we're going to schedule upcoming maintenance.
Scheduled Maintenance Window Set for April 12, 2014 0900 CDT
Since the vulnerability created the remote chance that our SSL certificates may have been compromised before we updated our servers, we're going to replace them with all new certificates with new private keys. This requires maintenance that may interrupt our services for up to 10 minutes at a time for a period of 1 hour starting April 12, 2014 at 0900 CDT. Please be aware that this could mean some brief downtime and plan accordingly.
This doesn't just impact Inteliguide & Patrolguide:
Many of the websites and web services that you've come to rely on every day may have been compromised and/or could still be vulnerable. There are many compiled lists of vulnerable sites, but it's easiest to double check your favorites using this handy utility:
http://filippo.io/Heartbleed/
Just click on the above link and type in any website for a quick check.
More reading: Major bug called ‘Heartbleed’ exposes Internet data
UPDATE: Please Change Your Password
Now that all other precautions have been taken, it's time to change your password. This is crucially important for Roles that have higher privileges, access rights, and abilities in the system. If your existing password was compromised due to the Heartbleed threat, it is possible that someone could gain unauthorized access to your account unless you change that password. Please do so as soon as possible.
The New Certificates & Chrome
We've had some select reports describing problems loading our new rekeyed certificates in Chrome browsers. Here's a quick workaround that has worked for us on the newest version of Chrome:
- Go to Chrome's settings by clicking the top right menu button (icon of three horizontal parallel lines), then click 'Settings'
- In Settings, search for 'cert'
- Look for the HTTPS/SSL settings and check the "Check for server certificate revocation" checkbox
- Clear your cache by searching for 'cache' and then either resetting your browser settings or clearing specific cache settings by clicking the 'Clear browsing data...' button
- Restart your browser
This should load the correct cert. If you dive even deeper, you should be able to see the new serial number.
Server cert revocation check:
New cert serial #:
Click on the 'lock' icon besides the URL in your browser. Then click the connection tab. Then click on the 'Certificate information' link. On that dialog, click the Details tab, and verify the cert serial number appears as below. If the cert you see does NOT match what's in the below image, then your browser is likely trying to load the old one.
0 Comments