On Monday the public was made aware of a severe bug in OpenSSL, a cryptography library which is used as the core of many cryptographically secured IT services. Since the bug was in the Heartbeat extension it has been named "Heartbleed".

This bug allowed attackers to stealthily access parts of the memory used for cryptographic actions, i.e. it may include digital keys in use on servers or passwords transferred over encrypted connections.

If you used any password-protected D-PHYS web services or the D-PHYS mail server between 12th of December 2013 (or used the BackupPC web-interface since end of 2012) and Tuesday, the 8th of April 2014, there is a very small chance that your D-PHYS password and possibly other transmitted data may have been leaked to an attacker. We currently have no indication that this has actually happened on our servers.

To be safe, you might want to change the password of your D-PHYS account and any other account where the same password is used. See this Heise article for a discussion (in German) about whether you should change your password or not.

(more…)

We just deployed new SSL certificates for some of our services. Sending e-mails via our mail server no longer requires the import of our root CA certificate beforehand, but may require a restart of your e-mail client. Internal websites (like account management and password changing) or websites which are hosted by us and don't end in .ethz.ch got new certificates signed by our new root CA certificate. To avoid annoying and irritating warnings, we recommend you import our root CA certificate into your web browser.

The new root certificate will be installed in the web browsers on our managed workstations within the next days, too.

In the past all HTTPS secured web sites hosted or provided by us used certificates issued by ourselves. This caused unsettling warnings in most browsers as the user had to manually add the root certificate of our certification authority (CA) to his web browser.

To allow SSL certificates other than those signed by ourselves, namely certificates automatically accepted by all browsers, but also community-backed CACert certificates issued by ETH ID, we will change the configuration of our web server zwoelfi this evening. This may cause some short interruptions to some of the hosted sites, but should not be of longer duration.

Some of these web sites will get already new SSL certificates issued by QuoVadis (accepted by nearly all browsers by default) this evening.

Update Friday, 1. Oct. 2010, 21:00h: Due to several unexpected issues with the new QuoVadis certificate, for now the webserver runs again with the old ISG signed SSL certificate on all virtual hosts.

Update Thursday, 7. Oct. 2010, 23:00h: Most of the issues with the new QuoVadis certificate are solved now and all virtual hosts planned for the QuoVadis SSL certificate use it now again.

(more…)

For a long time we used so called wildcard SSL certificates for most of our web sites and services. Especially newer web browsers issued warnings about them. We recently exchanged the wildcard certificate on https://www.phys.ethz.ch/ and other websites to a new type of SSL certificate listing all websites hosted on that machine. Since today also our infrastructure servers (e.g. https://registration.phys.ethz.ch/), have such a new SSL certificate.

If you have installed our CA certificate as described in our article How to configure web browsers, the new certificates won't cause any more security warnings. If you have not installed our CA certificate in your web browser, a warning about a new unknown certificate will pop up for many of our SSL-enabled websites every time we add a new website. Because a new website means that we have to generate a new SSL certificate for the whole web server the new site is hosted on. We therefore recommend to install our CA certificate in your web browser to avoid those annoying warnings on D-PHYS websites.