Educause Security Discussion mailing list archives
Re: Finding Servers Using OpenSSL SSL/TLS
From: "Joel L. Rosenblatt" <joel () COLUMBIA EDU>
Date: Fri, 11 Apr 2014 13:06:18 -0400
We are sending out email to all of our SBO's that use a off campus service - they have been tasked with contacting the vendors and finding out what they are doing about it Divide and conquer :-) Joel Joel Rosenblatt, Director Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3 On Fri, Apr 11, 2014 at 12:51 PM, Mike Cunningham <mike.cunningham () pct edu> wrote:
Do you do anything with cloud/3rd party/off campus systems that Columbia uses ? -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel L. Rosenblatt Sent: Friday, April 11, 2014 12:49 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Finding Servers Using OpenSSL SSL/TLS We keep a constantly updating list of any IP address that accepts connections on port 443 using netflow information, we test them for the Heartbleed bug and inform the machine owner if they have a problem Thanks, Joel Rosenblatt Joel Rosenblatt, Director Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3 On Fri, Apr 11, 2014 at 11:33 AM, Pratt, Benjamin E. <bepratt () stcloudstate edu> wrote:Good morning everyone. The question: What would be the best option for determining remotely whether a server utilizes OpenSSL SSL/TLS for encrypting https traffic? The background: I'm hoping the list can provide a little assistance in dealing with the aftermath of the Heartbleed vulnerability. The good news is a scan of our campus network indicates that we are nearly fully patched. The bad news is that not all of the https servers utilizing OpenSSL SSL/TLS are centrally controlled. This means that we don't know which servers were patched before our first scan and therefore where all of the servers that were vulnerable, over the past two years, are located. I am attempting to put together options that include changing out SSL certificates and notifying users of previously vulnerable systems to update passwords. If I am able to provide more specific information about the scope of our endeavor it would certainly be an added value. Thank you, Ben -- Benjamin Pratt St. Cloud State University
Current thread:
- Finding Servers Using OpenSSL SSL/TLS Pratt, Benjamin E. (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Joel L. Rosenblatt (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Mike Cunningham (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Peter Setlak (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Joel L. Rosenblatt (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Mally Mclane (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Joel L. Rosenblatt (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Cheryl O'Dell (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Mike Cunningham (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Joel L. Rosenblatt (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Steven Carmody (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Joel L. Rosenblatt (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Peter Setlak (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Ken Connelly (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Tim Doty (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Peter Setlak (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Pratt, Benjamin E. (Apr 11)