SSL Cert Reissue

Like many others, I have been hit by the heartbleed bug, which kinda sucks. I don’t use SSL for anything very critical, but I do use it at [tcj.io tcj.io], my “projects” website. My host, Linode, has done a great job of providing tutorials on how to deal with the situation. The obvious first step (a couple of days ago) was to upgrade openssl itself:

apt-get update
apt-get upgrade

But this only prevents the server from leaking keys going forward. Since the vulnerability was in the wild for quite some time, I thought it prudent to reissue the certificates as well. Now that I had a bit more time, I went ahead and did a reissue to make sure that nothing going forward gets leaked. This is (as usual) a bit annoying, because of the verification procedure at [Gandi gandi.net]. Otherwise, they’re pretty solid though, so I guess I’ll give them a pass on this one. And they did allow a reissue without revoking, so that’s a good step!

As a side note, this entire CA certificate system is silly. I watched Moxie Marlinspoke’s video on precisely this topic. It’s disappointing that his Convergence idea hasn’t already caught on in Chrome–it seems like a really solid step forward to choose who to trust.