In response to a reported vulnerability in the popular OpenSSL cryptographic library, Comodo is urging its customer, partners and all users of OpenSSL to apply the most recent patched updates as soon as possible. Comodo will work with customers, partners, platform vendors and service providers to help ensure affected parties are made fully aware of the issue over the coming days, and that customer systems are updated with the fixed version of OpenSSL.
Although the vulnerability is not directly related to Comodo’s certificates and keys, certificates generated using affected versions of OpenSSL should be revoked and replaced. Comodo will ensure that customers can quickly and easily acquire a certificate reissuance after patching their OpenSSL.
Who is Vulnerable?
This issue is only a concern if you have installed OpenSSL 1.0.1 through 1.0.1f and OpenSSL 1.0.2-beta. All other SSL implementations and digital certificate users are unaffected, including all users of Microsoft’s IIS web server.
If you are not sure if your affected, Comodo has updated its SSL analysis tool for you to check. Simply enter your address on the following page:
Note: Only enter domains that are using SSL. If this site is busy, you can also use https://sslanalyzer.comodoca.com/
If you are vulnerable, Comodo will work with you to help ensure that your systems are updated with the fixed version of OpenSSL. We will assist you in quickly and easily acquiring a certificate reissuance that may be required as a result of patching OpenSSL. Call +1 888-256-2608 or Email: Enterprisesolutions@comodo.com to speak to an Enterprise SSL expert.
What is the Vulnerability?
A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension. This flaw allows a remote attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time.
Discovery of Heartbleed
The Heartbleed bug was uncovered by a group of security engineers from Codenomicon and Neel Mahta from Google Security. On April 7, 2014, they announced vulnerability in the popular OpenSSL cryptographic library to the Internet community. Aptly labeled as the Heartbleed bug, this vulnerability affects OpenSSL versions 1.0.1 through 1.0.1f (inclusive).
It is important to understand that Heartbleed bug is not a flaw in the SSL or TLS protocols; rather, it is a flaw in the OpenSSL implementation of the TLS/DTLS heartbeat functionality. The flaw is not related or introduced by publicly trusted certificates and is instead a problem with server software.
To Upgrade Your Server
Check your package manager for an updated OpenSSL package and install it. If you do not have an updated OpenSSL package, contact your Service Provider to obtain the latest version of OpenSSL and install it.
Only use these workarounds if you cannot upgrade to the latest version of OpenSSL. If you are unable to upgrade to the latest OpenSSL version, do one of the following:
- Rollback to OpenSSL version 1.0.0 or earlier.
- Recompile OpenSSL with the OPENSSL_NO_HEARTBEATS flag.
To Rekey, Reissue, and Revoke Your Certificates
First, you need to rekey and reissue your certificates, which you do by creating a new key pair and Certificate Signing Request (CSR). To replace your certificate, do the following:
1. Log in to your account via https://secure.comodo.com
2. Click on SSL Certificates
3. Find the certificate you would like to replace/re-issue and click Replace
4. Follow all on screen instructions.
Once you have successfully replaced your new certificate, you need to revoke the old one. To do this, log into your account as before, click ‘SSL certificate’, locate the *old* certificate order and click the ‘Revoke’ link.
Again, don’t hesitate to contact email@example.com if you need help with this.