Google: Compute Engine customers should create new SSL keys over Heartbleed

Google: Compute Engine customers should create new SSL keys over Heartbleed

Summary: Google Compute Engine customers need to create new keys in services that use OpenSSL. Meanwhile, Google Search Appliance customers are still waiting for a patch.

SHARE:
TOPICS: Security, Cloud
5

Google said that customers using its Google Compute Engine cloud services need to create new keys for services affected by the Heartbleed virus, which has wreaked havoc on password systems around the Web.

01-heartbleed

Heartbleed is a virus that exploits OpenSSL, which is designed to secure Web traffic through encryption. OpenSSL 1.01 and 1.02 beta are affected. These systems are used on web servers, email servers, virtual private network (VPN) systems, and some client applications.

The attack, brewing for years, has shed light on open source security. Heartbleed's big scare is that it can expose passwords, emails, and financial information.

TechRepublic: The Heartbleed vulnerability: how does it apply to you?

Google raced last week to patch a bevy of services potentially hit by Heartbleed. On April 9, Google's list went like this: Search, Gmail, YouTube, Wallet, Play, Apps, App Engine, AdWords, DoubleClick, Maps, Maps Engine, Earth, Analytics, and Tag Manager.

Business services such as Cloud SQL were also patched. Initially, Google gave a workaround for its Compute Engine and still appears to be struggling to patch its Google Search Appliance.

Google updated a blog post with the following:

In light of new research on extracting keys using the Heartbleed bug, we are recommending that Google Compute Engine (GCE) customers create new keys for any affected SSL services. Google Search Appliance (GSA) customers should also consider creating new keys after patching their GSA. Engineers are working on a patch for the GSA, and the Google Enterprise Support Portal will be updated with the patch as soon as it is available.

Creating new keys for Google Compute Engine may be a bit of a pain, but it's necessary. Google Search Appliance customers may be scratching their heads over the time it has taken for the company to deliver a patch.

Topics: Security, Cloud

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • They must have a really slow compiler

    Its just a recompile to update. There must be another reason they aren't telling us.
    Maybe its tied to the disappearance of MH370 OR they have to enable a new door for the NSA... Google's deceit chickens come home to roost. LOL
    greywolf7
  • Nah

    The bug just sat there for 2 years. Part of the bug was that nothing would ever be logged, so an attack will not have left any traces.

    Which means, not Google nor anyone else can say for sure that customers keys/certs have not been compromised.
    honeymonster
  • Microsoft Azure

    Life is good here
    Xenon8
  • Heartbleed is NOT a virus

    Just wanted to let you know that Heartbleed is a bug (vulnerability) in the OpenSSL versions 1.0.1 through 1.0.1f.

    It is *not* a virus.
    j_mcc99
    • Yes.

      That was my understanding. The article is misleading.
      dgoldcamp