On Monday 7th April, late night UK time, a serious bug was disclosed in the OpenSSL software that we (and a great many others) use to secure our websites.
The bug was such that it was theoretically possible for third parties to get hold of the encryption keys we use to secure traffic and, among other things, pretend to be GOV.UK given appropriate network control.
We take privacy and security very seriously, and the following actions have been taken since the disclosure:
- The www.gov.uk domain was very quickly secured by our downstream CDN provider
- The servers that we run were fully patched within a few hours on Tuesday. This and the previous point meant we were no longer vulnerable to the effects of the bug
- On Wednesday afternoon we completely reissued all our SSL certificates, removing any chance that a previously compromised certificate was usable to any attackers.
Now that all the servers have been updated we're going to be proactively resetting publisher passwords as a final precaution. If you're affected you'll be receiving an email directly from us.
5 comments
Comment by Lee Maguire posted on
Has the UK government, as a user of OpenSSL on http://www.gov.uk as well as elsewhere on the digital estate, considered a donation or sponsorship to the OpenSSL Software Foundation?
https://www.openssl.org/support/donations.html
Comment by Ian Wills posted on
Regarding the statement "On Wednesday afternoon we completely reissued all our SSL certificates, removing any chance that a previously compromised certificate was usable to any attackers.": as of 15/04/2014 the DVLA website (https://www.taxdisc.direct.gov.uk) has a certificate still which was issued on 14/06/2012.
Could GOV.UK please provide positive identification as to which certificates have been revoked and subsequently reissued?
Comment by Brad Wright posted on
The scope of this blog is specifically about the GOV.UK single domain, so in this case the SSL certificates referred to are http://www.gov.uk, and our *.alphagov.co.uk wildcard certificates for various tools.
Comment by Bob posted on
Does this mean that I can safely use the DVLA (motoring.direct.gov.uk) website safely? The certificate issued seems to be for 25-11-11.
Comment by Brad Wright posted on
Hi Bob: as mentioned above this blog post is specifically about http://www.gov.uk. I couldn't comment about the sites of any other agencies.