mailbox. iai.uni-bonn.de

Institut für Angewandte Informatik Rheinische Friedrich-Wilhelms-Universität Bonn Systemgruppe Angewandte Informatik

Home Dienste Postfix SMTP Server Transport Anti Viren/Spam Server <1 Spammail / Tag? Cyrus IMAP Server Filter-/Speicherung Webmail Lists Tools Squirrelmail [incl. Filter-Plugin avelsieve] Websieve Konfiguration Konfigurationsdaten Hinweise zu einzelnen clients stunnel Ansprechpartner Bei Fragen beachten! Kontakt Allg. Information Netzwerkstrukturplan Mail Sonstiges rund um eMail all-... Verteiler

>Home > SSL Heartbleed Bug SSL Heartbleed Bug OpenSSL is the defacto open-source standard software implementation of the TLS/SSL protocols. Encryption provides communication security and helps protecting privacy and data integrity in protocols like HTTP_S_, IMAP_S_, POP3_S_. Unfortunately, all OpenSSL fixes/versions since March 2012 include a serious security related programming bug. This bug could possibly expose sensitive data including user credentials. The bug and fix has became known to the public on April 7/8th 2014 and was named Heartbleed. SGA is concerned about bugs and security. The OpenSSL libraries protecting our mailservices are usually up to date. Ironically, this is the reason why we had been vulnerable to this bug in the past. Of course, SGA immediately compiled the newest / corrected version of OpenSSL as well as programs providing the mail services to close the programming bug. As far as we know we are no longer vulnerable to heartbleed attacks by now! There is a second aspect to consider which might also being used to harm privacy and authentication credentials. The private keys used by our mail services might have been stolen through this bug! If someone was able to record a network session (the stream) between your client and our services which was not using Perfect Forward Secrecy (FPS: client negotiates to ciphers beginning with DHE or ECDHE) and got our private key too he/she/it might decode this session later. Of course, we have applied for new certificates. The new certificates are in service now! Users should now be safe to change their passwords (used on our mail services). Please keep in mind that you might use the same password on other systems or services. If you think this smells phishy - as always - ask your "local system administration" (through other channels). The way of changing your password depends on your organisational unit / which systems group manages your account. If you are uncertain, please ask your local system administration. Please choose the appropriate web interface from the following list: B-IT faculty/staff, created/administered by SGBIT: https://nic1.bit.uni-bonn.de/ (from inside the B-IT network or B-IT VPN) IAI faculty/staff and other SGA created/administered accounts: https://acc.iai.uni-bonn.de/ Faculty/staff of other Computer Science departments and enrolled Computer Science and B-IT students, created/administered by SGN: https://webportal.informatik.uni-bonn.de/UserPortal/user_center.shtml In either case it may take up to an hour to apply the changes to all systems. Please remember to use the new password on all active mail clients as their IP-addresses might get short-time-blocked if our services detect too many repeated authentication failures. This might cause service disruptions for all clients using the same IP-address.