On Monday 7th April, late night UK time, a serious bug was disclosed in the OpenSSL software that we (and a great many others) use to secure our websites.
The bug was such that it was theoretically possible for third parties to get hold of the encryption keys we use to secure traffic and, among other things, pretend to be GOV.UK given appropriate network control.
We take privacy and security very seriously, and the following actions have been taken since the disclosure:
- The www.gov.uk domain was very quickly secured by our downstream CDN provider
- The servers that we run were fully patched within a few hours on Tuesday. This and the previous point meant we were no longer vulnerable to the effects of the bug
- On Wednesday afternoon we completely reissued all our SSL certificates, removing any chance that a previously compromised certificate was usable to any attackers.
Now that all the servers have been updated we're going to be proactively resetting publisher passwords as a final precaution. If you're affected you'll be receiving an email directly from us.