When we first create an application, it’s easy to get the latest TLS certificate from a reputable vendor to match. Our software is humming along, and we can focus on other tasks.
But what happens if we have an incident like Heartbleed, a vendor improperly signing certificates, or another big OpenSSL vulnerability? Are we prepared to patch the entire fleet? Or can we even discover which servers are vulnerable?
The moments right after a vulnerability’s public disclosure are critical. It’s only a matter of time before everyone has access to the technical details of the bug, and in days or hours, has weaponized it to attack unpatched infrastructure.
This Shoreline OpenSSL Diagnostics Op Pack is a runbook that allows examining all SSL certificates across the fleet of servers. For each certificate, we can examine details such as the trust chain, the signing algorithm, and the key strength. If a certificate is discovered to be vulnerable, the runbook allows swapping out the certificate with a new matching certificate from Let’s Encrypt, a free certificate registry. Alternatively, the user can take this information to understand their attack surface. We can then revoke, reissue, and install new, trusted certificates that follow industry best practices.
