The recent OpenSSL issues (CVE-2014-0160) have required most of the world’s Internet service providers to patch their systems and we completed ours late on Monday this week.
Our perimeter systems should have detected some of the possible ways this exploit would have been used and we haven’t seen such alarms, but there are ways services may have been attacked that would not have been seen.
Despite the seriousness of this bug and the potential for loss of data, it is unlikely that our services were targeted using such methods. However, we suggest users should not be complacent so we offer the following advice.
As a precaution we recommend users change passwords on Zimbra email services which are the most likely to have been affected.
We are also reviewing all systems for other secondary signs of compromise or attempted compromise and will be renewing vulnerable certificates where keys may have been compromised.
Some aspects of certificate renewal have been delayed beyond our control due to the huge increase of validation and re-issue tasks at certificate authorities.
Firefox users may experience an error showing relating to the OCSP server. This is an added protection Firefox uses that checks a service that looks for revoked certificates. Again due to the increase in revoked certificates, lists are not getting updated as quickly as usual and so it cannot confirm that a new certificate is not listed.
To fix in the short term: If you check under Firefox preferences you will find Advanced – Certificates – Validation – and untick the OCSP server check. After 24hrs we recommend you return this setting to normal.
If you have any queries relating to this please do contact support and they will be happy to assist.