Posted on Wednesday, April 23rd, 2014
Heartbleed is a vulnerability in OpenSSL, software which provides cryptographic services to computers on the Internet. Please be aware that the Heartbleed vulnerability is not a virus, so it cannot spread from one computer to another.
If you have ORC client certificates—certificates that identify you to web sites—your certificates are not at risk. There are no common web browsers that use OpenSSL. Accordingly, Heartbleed cannot allow compromise of a client certificate private key from a personal computer.
If someone were to use a vulnerable version of OpenSSL on a web server with an SSL/TLS certificate—even an SSL/TLS server certificate provided by ORC—there is potential for the web server to be compromised. If you believe that your private key may have been compromised, please revoke your SSL/TLS server certificate as soon as possible and install a new SSL/TLS server certificate using new keys.
This vulnerability generally applies to any server using OpenSSL versions 1.0.1 through 1.0.1f regardless of the source of the certificate. We recommend that you perform an immediate review of all of your systems and upgrade your OpenSSL packages if necessary.
OpenSSL versions 0.98, 1.0.0 and 1.0.1g are not affected the Heartbleed vulnerability.
For more information regarding the Heartbleed vulnerability, please see:
If you have further questions, you may contact the ORC PKI Help Desk.