If so, that must be an awful lot of web servers, with a horrendous cost for everyone to buy new certificates etc. if there's no reliable way to determine what if anything was compromised.
Would any of our resident security experts like to suggest best practices under such circumstances?
(Edit: It looks like the page I linked above has been updated and a patch is going into Wheezy security as I write this.)
(Edit 2: Confirmed that Wheezy security updates now include openssl 1.0.1e-2+deb7u5 and related libssl changes.)
All reasonable certificate authorities will — at no cost — revoke your existing certificate and issue you a new certificate with the same expiration date as your old certificate. You'd just need to send the CA a new certificate signing request created from a newly-generated RSA key pair.
If your CA wants you to buy a new certificate to recover from a key compromise, your CA is taking you for a ride, and you should find a less horrible CA to throw your money at.
https://security-tracker.debian.org/tracker/CVE-2014-0160
If so, that must be an awful lot of web servers, with a horrendous cost for everyone to buy new certificates etc. if there's no reliable way to determine what if anything was compromised.
Would any of our resident security experts like to suggest best practices under such circumstances?
(Edit: It looks like the page I linked above has been updated and a patch is going into Wheezy security as I write this.)
(Edit 2: Confirmed that Wheezy security updates now include openssl 1.0.1e-2+deb7u5 and related libssl changes.)