

Ask HN: openSSL/heartbleed for internal company apps? - engtech

Are you bothering to check openSSL versions for internal apps like:<p>- revision control
- wikis
- tool installs like perl, python (because of LDAP authentication)<p>Looking around it seems like Perforce and Subversion had heartbleed vulnerabilities for specific configurations.<p>Looking through various LDAP plugins for different tools, they may use a version of openSSL that is vulnerable.<p>Should we be patching openSSL on all of the linux boxes and not just web servers?
======
asdafa
Yes, definitely.

You should consider _all_ servers running a vulnerable OpenSSL installation to
be compromised. You'll need to rekey all your certificates.

Do not trust the fact that "the servers are internal" because if your
perimeter has been breached you will most likely know only after the fact.

Personally, I tend to treat internal services with the same process I use for
external services, they just come second on the list.

