https://insidegovuk.blog.gov.uk/2014/04/11/govuk-and-the-heartbleed-openssl-bug/

GOV.UK and the Heartbleed OpenSSL bug

On Monday 7th April, late night UK time, a serious bug was disclosed in the OpenSSL software that we (and a great many others) use to secure our websites.

The bug was such that it was theoretically possible for third parties to get hold of the encryption keys we use to secure traffic and, among other things, pretend to be GOV.UK given appropriate network control.

We take privacy and security very seriously, and the following actions have been taken since the disclosure:

  • The www.gov.uk domain was very quickly secured by our downstream CDN provider
  • The servers that we run were fully patched within a few hours on Tuesday. This and the previous point meant we were no longer vulnerable to the effects of the bug
  • On Wednesday afternoon we completely reissued all our SSL certificates, removing any chance that a previously compromised certificate was usable to any attackers.

Now that all the servers have been updated we're going to be proactively resetting publisher passwords as a final precaution. If you're affected you'll be receiving an email directly from us.

5 comments

  1. Comment by Lee Maguire posted on

    Has the UK government, as a user of OpenSSL on http://www.gov.uk as well as elsewhere on the digital estate, considered a donation or sponsorship to the OpenSSL Software Foundation?

    https://www.openssl.org/support/donations.html

  2. Comment by Ian Wills posted on

    Regarding the statement "On Wednesday afternoon we completely reissued all our SSL certificates, removing any chance that a previously compromised certificate was usable to any attackers.": as of 15/04/2014 the DVLA website (https://www.taxdisc.direct.gov.uk) has a certificate still which was issued on 14/06/2012.
    Could GOV.UK please provide positive identification as to which certificates have been revoked and subsequently reissued?

    • Replies to Ian Wills>

      Comment by Brad Wright posted on

      The scope of this blog is specifically about the GOV.UK single domain, so in this case the SSL certificates referred to are http://www.gov.uk, and our *.alphagov.co.uk wildcard certificates for various tools.

      • Replies to Brad Wright>

        Comment by Bob posted on

        Does this mean that I can safely use the DVLA (motoring.direct.gov.uk) website safely? The certificate issued seems to be for 25-11-11.