The InCommon Certificate Program Manager provided the
following recommendation –
“– *IF* you had servers that were vulnerable to this attack, after
updating the OpenSSL code as required, please note that you should ALSO
replace the public/private keys and associated SSL/TLS certificate
associated with that server/those servers, revoking the earlier (now
potentially compromised) SSL/TLS certificate(s).
— We would also encourage you to review the configuration of each
SSL/TLS server using the excellent
evaluation page (note that you can check the box “Do not show the
results on the boards” should you desire to do so).
As part of reviewing those results, we encourage you to consider
enabling ciphers that support Forward Secrecy (see
— As part of managing the risks associated with this incident, you
may also want to consider additional remedial steps, depending upon
the content that may have been potentially intercepted on a
vulnerable server (whether on-site or off).
For example, if there’s a possibility that passwords were exposed,
you may want to consider whether you’ll need to reset or reissue
those once the system has been updated and secured.”