https://insidegovuk.blog.gov.uk/2014/04/11/govuk-and-the-heartbleed-openssl-bug/

GOV.UK and the Heartbleed OpenSSL bug

On Monday 7th April, late night UK time, a serious bug was disclosed in the OpenSSL software that we (and a great many others) use to secure our websites.

The bug was such that it was theoretically possible for third parties to get hold of the encryption keys we use to secure traffic and, among other things, pretend to be GOV.UK given appropriate network control.

We take privacy and security very seriously, and the following actions have been taken since the disclosure:

  • The www.gov.uk domain was very quickly secured by our downstream CDN provider
  • The servers that we run were fully patched within a few hours on Tuesday. This and the previous point meant we were no longer vulnerable to the effects of the bug
  • On Wednesday afternoon we completely reissued all our SSL certificates, removing any chance that a previously compromised certificate was usable to any attackers.

Now that all the servers have been updated we're going to be proactively resetting publisher passwords as a final precaution. If you're affected you'll be receiving an email directly from us.

5 comments

  1. Lee Maguire

    Has the UK government, as a user of OpenSSL on http://www.gov.uk as well as elsewhere on the digital estate, considered a donation or sponsorship to the OpenSSL Software Foundation?

    https://www.openssl.org/support/donations.html

    Link to this comment
  2. Ian Wills

    Regarding the statement "On Wednesday afternoon we completely reissued all our SSL certificates, removing any chance that a previously compromised certificate was usable to any attackers.": as of 15/04/2014 the DVLA website (https://www.taxdisc.direct.gov.uk) has a certificate still which was issued on 14/06/2012.
    Could GOV.UK please provide positive identification as to which certificates have been revoked and subsequently reissued?

    Link to this comment
    • Brad Wright

      The scope of this blog is specifically about the GOV.UK single domain, so in this case the SSL certificates referred to are http://www.gov.uk, and our *.alphagov.co.uk wildcard certificates for various tools.

      Link to this comment
      • Bob

        Does this mean that I can safely use the DVLA (motoring.direct.gov.uk) website safely? The certificate issued seems to be for 25-11-11.

        Link to this comment