Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » [IMPORTANT] OpenSSL-Bug > Reset PW + Cert after Install
  •  
Maerad

Messages: 158
Karma: 31
Send a private message to this user
After I had a phone call just now in another case with the OpenSSL Bug, I would like to stress out one of the most important points AFTER the Fix.

THIS APPLYS NOT ONLY FOR KERIO CONNECT, BUT ALSO ANY SYSTEM THAT USES OPEN-SSL WITH THE HEARTBLEED BUG!

After the install of the new OPEN-SSL Version or program with the heartbleed bug...

1. CHANGE the SSL-Certificate! For any selfmade ones, just create a new. For an official declare the old one invalid and request a new cert.
2. FORCE a password change! And this for every one you have. As Company or Reseller, force a change for every user and/or inform the customers about it. The new passwords should be completely different from the old one. IF someone cracked the data with the bugs, he has usernames and pw in clear text. Any following attack will try the old pw in all "lazy" combinations. Like PW bla12%23 is now bla12%24
3, CHECK your other tools on the network, not only the server and clients. The OpenSSL module is used in a wide range of software, from linux pc's (SSH Login!), routers, switches, phone systems etc. to many integrated server systems like kerio, ERP etc.
Or if you have something out in the internet like a webcam. If you are unsure about them and you need access, use a vpn and no port mapping.

Can't stress those points enough ...

[Updated on: Wed, 09 April 2014 12:54]

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Previous Topic: Openssl problem
Next Topic: Server based full text search within client (TB)
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Aug 22 07:16:42 CEST 2017

Total time taken to generate the page: 0.00442 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.