https://insidegovuk.blog.gov.uk/2014/04/11/govuk-and-the-heartbleed-openssl-bug/

GOV.UK and the Heartbleed OpenSSL bug

Brad Wright, 11 April 2014 - How we work

On Monday 7th April, late night UK time, a serious bug was disclosed in the OpenSSL software that we (and a great many others) use to secure our websites.

The bug was such that it was theoretically possible for third parties to get hold of the encryption keys we use to secure traffic and, among other things, pretend to be GOV.UK given appropriate network control.

We take privacy and security very seriously, and the following actions have been taken since the disclosure:

• The www.gov.uk domain was very quickly secured by our downstream CDN provider
• The servers that we run were fully patched within a few hours on Tuesday. This and the previous point meant we were no longer vulnerable to the effects of the bug
• On Wednesday afternoon we completely reissued all our SSL certificates, removing any chance that a previously compromised certificate was usable to any attackers.

Now that all the servers have been updated we're going to be proactively resetting publisher passwords as a final precaution. If you're affected you'll be receiving an email directly from us.

Share this page

• Twitter
• Facebook
• LinkedIn
• Email

5 comments

1. Lee Maguire 11 April 2014

   Has the UK government, as a user of OpenSSL on http://www.gov.uk as well as elsewhere on the digital estate, considered a donation or sponsorship to the OpenSSL Software Foundation?

   https://www.openssl.org/support/donations.html

   Link to this comment

2. Ian Wills 15 April 2014

   Regarding the statement "On Wednesday afternoon we completely reissued all our SSL certificates, removing any chance that a previously compromised certificate was usable to any attackers.": as of 15/04/2014 the DVLA website (https://www.taxdisc.direct.gov.uk) has a certificate still which was issued on 14/06/2012.
   Could GOV.UK please provide positive identification as to which certificates have been revoked and subsequently reissued?

   Link to this comment

   • Brad Wright 15 April 2014

     The scope of this blog is specifically about the GOV.UK single domain, so in this case the SSL certificates referred to are http://www.gov.uk, and our *.alphagov.co.uk wildcard certificates for various tools.

     Link to this comment

     • Bob 25 April 2014

       Does this mean that I can safely use the DVLA (motoring.direct.gov.uk) website safely? The certificate issued seems to be for 25-11-11.

       Link to this comment

       • Brad Wright 25 April 2014

         Hi Bob: as mentioned above this blog post is specifically about http://www.gov.uk. I couldn't comment about the sites of any other agencies.

         Link to this comment

Inside GOV.UK

A blog about running and improving the GOV.UK website, for anyone who is working on GOV.UK or interested in how the digital home of the UK government works. Written by the GOV.UK Team

GOV.UK’s strategy for growth

GOV.UK is moving to be multi-channel. Learn more about our priorities by reading our strategy for growth.

Subscribe to Inside GOV.UK to keep up to date with our work.

Categories

Standards and guidelines

Read GOV.UK standards and guidelines on blogs, URLs, service requests, Welsh, logos and more.

Sign up and manage updates

• Email
• Atom

Follow GOV.UK

• @GOV.UK
• @GDSteam
• Flickr

Recent posts

• A new search engine for GOV.UK 23 October 2024
• How GOV.UK is supporting new ideas and helping the next generation of service designers 5 September 2024
• Introducing GOV.UK’s new publishing strategy 7 August 2024
• Updating GOV.UK’s crown 19 February 2024
• Moving our most-used publishing tool to the GOV.UK design system 8 February 2024

Comments and moderation

Read our guidelines.