Difference between revisions of "SSL Certificaten"

From Cncz
Jump to: navigation, search
m ([Heartbleed OpenSSL lek][Heartbleed OpenSSL bug])
([SSL certificaten][SSL certificates])
 
(7 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
[nl]
 
[nl]
Iedere service beschikbaar via SSL (https) moet een SSL certificaat hebben, zo ook elke webserver met versleutelde of "beveiligde" inhoud. Een SSL (Secure Socket Layer) certificaat is een elektronisch getekende garantie dat een bepaalde server daadwerkelijk de server is die deze claimt te zijn. Ze worden hoofdzakelijk (maar niet alleen) gebruikt om webpagina's te geven via een versleutelde verbinding. Een certificaat is getekend door een Certificate Authority (CA), deze verzekert de integriteit van het certificaat.
+
Iedere service die beschikbaar is via SSL (https), moet een SSL certificaat hebben, zo ook elke webserver met versleutelde of "beveiligde" inhoud. Een SSL (Secure Socket Layer) certificaat is een elektronisch getekende garantie dat een bepaalde server daadwerkelijk de server is die deze claimt te zijn. Ze worden hoofdzakelijk (maar niet alleen) gebruikt om webpagina's te geven via een versleutelde verbinding. Een certificaat is getekend door een Certificate Authority (CA), deze verzekert de integriteit van het certificaat.
  
Een aantal Certificate Authorities wordt standaard vertrouwd door SSL clients (inclusief web-browsers), o.a. Verisign, Thawte en Terena. Dat wil zeggen dat certificaten door een van deze getekend zonder meer vertrouwd worden zonder tussenkomst van de gebruiker. Tot voor kort tekende C&CZ de certificaten zelf maar inmiddels (via Surfdiensten) zijn alle servers en webapplicaties voorzien van door Terena (via SURFdiensten) getekende certificaten.
+
Een aantal Certificate Authorities wordt standaard vertrouwd door SSL clients (inclusief web-browsers), o.a. Verisign, Thawte en Terena. Dat wil zeggen dat certificaten door een van deze getekend zonder meer vertrouwd worden zonder tussenkomst van de gebruiker. Alle C&CZ servers en webapplicaties zijn voorzien van door Terena (via SURFdiensten) getekende certificaten.
 
[/nl]
 
[/nl]
  
Line 10: Line 10:
 
Any service accessible via SSL (https) must have an SSL certificate. This includes any web server with encrypted or "secure" content. An SSL (Secure Socket Layer) certificate is a signed electronic guarantee that a particular server is the server it claims to be. Certificates are used primarily (but not exclusively) for providing web pages via an encrypted connection. A certificate is signed by a Certificate Authority (CA) which ensures the integrity of the certificate.
 
Any service accessible via SSL (https) must have an SSL certificate. This includes any web server with encrypted or "secure" content. An SSL (Secure Socket Layer) certificate is a signed electronic guarantee that a particular server is the server it claims to be. Certificates are used primarily (but not exclusively) for providing web pages via an encrypted connection. A certificate is signed by a Certificate Authority (CA) which ensures the integrity of the certificate.
  
A few Certificate Authorities such as Verisign, Thawte, and Terena are automatically trusted by SSL clients (including web browsers), so certificates signed by these companies are validated without user confirmation. Until recently C&CZ signed its own certificates but now all certificates of servers and web applications are signed by Terena (through SURFdiensten).
+
A few Certificate Authorities such as Verisign, Thawte, and Terena are automatically trusted by SSL clients (including web browsers), so certificates signed by these companies are validated without user confirmation. All C&CZ certificates of servers and web applications are signed by Terena (through SURFdiensten).
 
[/en]
 
[/en]
  
Line 34: Line 34:
 
April 7, 2014, a two-year-old vulnerability was announced in several versions of [https://www.openssl.org/ OpenSSL]. OpenSSL is used for encrypting network traffic. Because of this vulnerability, an attacker could have retrieved the secret key of a service, with which traffic could be decrypted. In addition to this, due to this vulnerability an attacker could read the memory of the service, thereby retrieving sensitive information like passwords.
 
April 7, 2014, a two-year-old vulnerability was announced in several versions of [https://www.openssl.org/ OpenSSL]. OpenSSL is used for encrypting network traffic. Because of this vulnerability, an attacker could have retrieved the secret key of a service, with which traffic could be decrypted. In addition to this, due to this vulnerability an attacker could read the memory of the service, thereby retrieving sensitive information like passwords.
  
After the announcement of this [ http://heartbleed.com/ Heart Bleed OpenSSL leak] all vulnerable C&CZ services were automatically repaired. On Thursday, April 10th, we have deployed new certificates for these services. The old certificates will be [http://nl.wikipedia.org/wiki/Certificate_revocation_list revoked]. If one has used the following C&CZ services, it is wise to change the Science password on the [http://diy.science.ru.nl DIY website]. The old password could have become known to an attacker.
+
After the announcement of this [http://heartbleed.com/ Heart Bleed OpenSSL leak] all vulnerable C&CZ services were automatically repaired. On Thursday, April 10th, we have deployed new certificates for these services. The old certificates will be [http://nl.wikipedia.org/wiki/Certificate_revocation_list revoked]. If one has used the following C&CZ services, it is wise to change the Science password on the [http://diy.science.ru.nl DIY website]. The old password could have become known to an attacker.
  
 
The list of vulnerable C&CZ services that employees or students of the Faculty of Science may have used:
 
The list of vulnerable C&CZ services that employees or students of the Faculty of Science may have used:
Line 61: Line 61:
  
 
* Het [http://www.ru.nl/ictservicecentrum/actueel/nieuws/berichten/dringend-advies-0/ ISC] o.a. over het RU-wachtwoord.
 
* Het [http://www.ru.nl/ictservicecentrum/actueel/nieuws/berichten/dringend-advies-0/ ISC] o.a. over het RU-wachtwoord.
* De grote Nederlandse banken hebben aangegeven geen OpenSSL te gebruiken en dus niet kwetsbaar geweest te zijn voor dit lek, al [https://twitter.com/cducroix/status/453452094268510208/photo/1 lijkt dit niet helemaal te kloppen].
+
* De grote Nederlandse banken hebben [http://nos.nl/artikel/633432-beveiligde-internetverbindingen-lek.html volgens de NOS] aangegeven geen OpenSSL te gebruiken en dus niet kwetsbaar geweest te zijn voor dit lek. De NOS linkt naar een [https://twitter.com/cducroix/status/453452094268510208/photo/1 Twitterpagina die anders zegt].
 
* Een [http://www.volkskrant.nl/vk/nl/2694/Tech-Media/article/detail/3632963/2014/04/10/Heartbleed--lek-deze-wachtwoorden-kunt-u-het-best-zo-snel-mogelijk-wijzigen.dhtml lijst van Internet bedrijven samengesteld door de Volkskrant].
 
* Een [http://www.volkskrant.nl/vk/nl/2694/Tech-Media/article/detail/3632963/2014/04/10/Heartbleed--lek-deze-wachtwoorden-kunt-u-het-best-zo-snel-mogelijk-wijzigen.dhtml lijst van Internet bedrijven samengesteld door de Volkskrant].
* Een [http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_campaign=Feed%3A+Mashable+%28Mashable%29&utm_cid=Mash-Prod-RSS-Feedburner-All-Partial&utm_medium=feed&utm_source=feedburner&utm_content=Google+International overzicht van grote Internetbedrijven].
+
* Een (Engelstalig) [http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_campaign=Feed%3A+Mashable+%28Mashable%29&utm_cid=Mash-Prod-RSS-Feedburner-All-Partial&utm_medium=feed&utm_source=feedburner&utm_content=Google+International overzicht van grote Internetbedrijven].
 
[/nl]
 
[/nl]
 
[en]
 
[en]
 
Other organisations than C&CZ will also inform users about the need to change passwords due to this vulnerability. A few examples:
 
Other organisations than C&CZ will also inform users about the need to change passwords due to this vulnerability. A few examples:
  
* The [http://www.ru.nl/ictservicecentrum/actueel/news/@938292/security-leak/ ISC about a.o. the RU password.
+
* The [http://www.ru.nl/ictservicecentrum/actueel/news/@938292/security-leak/ ISC] about a.o. the RU password.
* The big Dutch banks let know that they do not use OpenSSL and thus not have been vulnerable to this bug. This looks [https://twitter.com/cducroix/status/453452094268510208/photo/1 not 100% correct].
+
* The big Dutch banks let know [http://nos.nl/artikel/633432-beveiligde-internetverbindingen-lek.html according to the NOS] that they do not use OpenSSL and thus not have been vulnerable to this bug. The NOS links to a [https://twitter.com/cducroix/status/453452094268510208/photo/1 Twitter page that says different].
* A [http://www.volkskrant.nl/vk/nl/2694/Tech-Media/article/detail/3632963/2014/04/10/Heartbleed--lek-deze-wachtwoorden-kunt-u-het-best-zo-snel-mogelijk-wijzigen.dhtml list van Internet companies put together by the Dutch newspaper de Volkskrant].
+
* A (Dutch) [http://www.volkskrant.nl/vk/nl/2694/Tech-Media/article/detail/3632963/2014/04/10/Heartbleed--lek-deze-wachtwoorden-kunt-u-het-best-zo-snel-mogelijk-wijzigen.dhtml list van Internet companies put together by the Dutch newspaper de Volkskrant].
* A [http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_campaign=Feed%3A+Mashable+%28Mashable%29&utm_cid=Mash-Prod-RSS-Feedburner-All-Partial&utm_medium=feed&utm_source=feedburner&utm_content=Google+International overview of big Internet companies].
+
* An [http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_campaign=Feed%3A+Mashable+%28Mashable%29&utm_cid=Mash-Prod-RSS-Feedburner-All-Partial&utm_medium=feed&utm_source=feedburner&utm_content=Google+International overview of big Internet companies].
 
[/en]
 
[/en]
  
 
[[Category:Internet]]
 
[[Category:Internet]]

Latest revision as of 14:57, 11 April 2014

SSL certificates

Any service accessible via SSL (https) must have an SSL certificate. This includes any web server with encrypted or "secure" content. An SSL (Secure Socket Layer) certificate is a signed electronic guarantee that a particular server is the server it claims to be. Certificates are used primarily (but not exclusively) for providing web pages via an encrypted connection. A certificate is signed by a Certificate Authority (CA) which ensures the integrity of the certificate.

A few Certificate Authorities such as Verisign, Thawte, and Terena are automatically trusted by SSL clients (including web browsers), so certificates signed by these companies are validated without user confirmation. All C&CZ certificates of servers and web applications are signed by Terena (through SURFdiensten).

Obtaining a certificate

Because SSL certificates are used as proof of the validity of the web site or server, it is not possible to acquire a signed SSL certificate for just any domain name. The Certificate Authorities check if the person or organisation requesting a certificate is indeed the owner of the domain name for which the certificate is requested. Domain names registered through C&CZ are owned by the Radboud University. Therefore C&CZ can also request SSL Certificates for these domain names.

Heartbleed OpenSSL bug

April 7, 2014, a two-year-old vulnerability was announced in several versions of OpenSSL. OpenSSL is used for encrypting network traffic. Because of this vulnerability, an attacker could have retrieved the secret key of a service, with which traffic could be decrypted. In addition to this, due to this vulnerability an attacker could read the memory of the service, thereby retrieving sensitive information like passwords.

After the announcement of this Heart Bleed OpenSSL leak all vulnerable C&CZ services were automatically repaired. On Thursday, April 10th, we have deployed new certificates for these services. The old certificates will be revoked. If one has used the following C&CZ services, it is wise to change the Science password on the DIY website. The old password could have become known to an attacker.

The list of vulnerable C&CZ services that employees or students of the Faculty of Science may have used:

  • Mail users:
    • squirrel.science.ru.nl: The old Science webmail service was vulnerable since January 29, 2014.
    • roundcube.science.ru.nl: The new Science webmail service.
    • autoconfig.science.ru.nl: The website for automatic configuration of mail clients like Thunderbird and Outlook.
  • Lecturers: dossiers.science.ru.nl and eduview.science.ru.nl
  • MySQL database owners: phpmyadmin.science.ru.nl
  • FNWI news letter editors: newsroom.science.ru.nl
  • Websites of departments and study association:
    • www.sos.cs.ru.nl
    • prover.cs.ru.nl
    • demo.irmacard.org
    • molchem.science.ru.nl
    • www.beevee.nl
    • fmsresearch.nl

Other organisations than C&CZ will also inform users about the need to change passwords due to this vulnerability. A few examples: