Heartbleed panic drives flood of enquiries to Symantec's Melbourne CA

While security vendors weigh their product ranges for vulnerability to the recently discovered 'Heartbleed' bug, Symantec's massive digital certificate infrastructure remains secure – but the company is advising customers to update the vulnerable OpenSSL code and then regenerate their public key infrastructure (PKI) private keys, according to its Melbourne-based senior principal systems engineer Nick Savvides.

The high-profile bug had generated a flood of calls to the company's Melbourne customer support centre – one of four facilities in the world to handle both customer validation and the generation of new public keys within its VeriSign infrastructure – but Symantec was providing free certificate renewal services for customers who were generally being encouraged to use self-service control panels to reissue their private keys.

“It's a big problem because it drives so many Web servers, but it's not that certificates and PKI are broken,” Savvides told CSO Australia.

“The fundamental technology is still sound and the way it operates is still sound. The chain of trust is intact. It's just this implementation, which is a very serious issue that needs to be addressed by IT operations teams.”

Certificate authorities around the world have been quick to act in the wake of the discovery of Heartbleed, which potentially exposed millions of private encryption keys to snooping interlopers and has many questioning whether the Web's Secure Sockets Layer (SSL) encryption is still secure enough to be widely used and all manner of superlatives being used to describe the magnitude of the threat.

Rival CA Comodo has already reissued tens of thousands of certificates, with replacement requests running at 10 to 12 times the usual pace as hackers reportedly prepare their efforts to capitalise upon the bug. Entrust, another CA, is also offering free replacement certificates.

Savvides cautioned customers – who need to work through a process to quickly reduce their exposure – to make sure they had identified and patched all systems with the OpenSSL vulnerability before renewing the certificates.

There was no indication yet as to how many of those private keys had been regenerated, but Savvides believes a year from now it will be much easier to tell: “there are tools that let you scan the Web and determine the expiry date of certificates,” he said.

“I have a good feeling that, 12 months from now, one-third of the world's SSL certificates will come up for expiry within the same three-day period because they're all being renewed now.”

Symantec has offered running guidance for customers as it explores the depth of its products' Heartbleed exposure.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersOpenSSLsymantecHeartbleed bugsecuritydigital certificatesNick SavvidesCA Comodocybercrime

More about ComodoCSOEnex TestLabEntrustSymantecVeriSign Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts