The Internet was rocked this week by revelations that a critical vulnerability in OpenSSL has left Web traffic open to compromise for years. The Heartbleed bug has potentially serious security ramifications, and it’s difficult—if not impossible—to know whether data has been exposed. In an effort to restore trust, and help organizations return to normal Web operations, Entrust is providing fresh certificates for customers at no cost.
SSL (secure sockets layer) is the foundation of Web security. It is the protocol sites rely on to encrypt and protect data traveling across the Internet to ensure things like usernames, passwords, account numbers, and other sensitive data are not capable of being intercepted in transit. OpenSSL is just one open source implementation of SSL, but it is a widely-used implementation so the repercussions from Heartbleed could be extensive.
“SSL certificates remain the industry standard for secure transactions across the internet—playing a pivotal role in online commerce around the world including retail shopping and banking,” states David Rockvam, senior vice president of product management and SaaS offerings at Entrust. “When properly implemented, SSL remains the single most important security mechanism for ensuring end-to-end authentication and encryption.”
According to data from Comodo, another popular certificate authority, customers have been requesting renewed certificates at a rate 10 to 12 times higher than the norm this week following news of the Heartbleed vulnerability.
Rockvam announced that Entrust is offering free renewals and certificate revocations for customers impacted by the Heartbleed flaw. “Not only is it the right thing to do, but we are uniquely positioned to provide this level of service because of our existing subscription-based pricing model.”
Entrust isn’t responsible for the Heartbleed vulnerability in OpenSSL, but it recognizes that Heartbleed puts the integrity of any and all certificates in question, and it understands that its customers depend on it for securing Internet traffic.
Requiring customers to pay for new certificates would an unnecessary added stress on top of the pain of trying to determine the scope of impact from Heartbleed. In fact, charging customers to re-issue certificates potentially compromised by Heartbleed would be shady profiteering at best.
If you are an Entrust customer and you believe your certificates may have been impacted by the OpenSSL Heartbleed vulnerability, take advantage of the opportunity to revoke your certificates and issue new ones from Entrust.