Google: Compute Engine customers should create new SSL keys over Heartbleed

Google Compute Engine customers need to create new keys in services that use OpenSSL. Meanwhile, Google Search Appliance customers are still waiting for a patch.

Google said that customers using its Google Compute Engine cloud services need to create new keys for services affected by the Heartbleed virus, which has wreaked havoc on password systems around the Web.


Heartbleed is a virus that exploits OpenSSL, which is designed to secure Web traffic through encryption. OpenSSL 1.01 and 1.02 beta are affected. These systems are used on web servers, email servers, virtual private network (VPN) systems, and some client applications.

The attack, brewing for years, has shed light on open source security. Heartbleed's big scare is that it can expose passwords, emails, and financial information.

TechRepublic: The Heartbleed vulnerability: how does it apply to you?

Google raced last week to patch a bevy of services potentially hit by Heartbleed. On April 9, Google's list went like this: Search, Gmail, YouTube, Wallet, Play, Apps, App Engine, AdWords, DoubleClick, Maps, Maps Engine, Earth, Analytics, and Tag Manager.

Business services such as Cloud SQL were also patched. Initially, Google gave a workaround for its Compute Engine and still appears to be struggling to patch its Google Search Appliance.

Google updated a blog post with the following:

In light of new research on extracting keys using the Heartbleed bug, we are recommending that Google Compute Engine (GCE) customers create new keys for any affected SSL services. Google Search Appliance (GSA) customers should also consider creating new keys after patching their GSA. Engineers are working on a patch for the GSA, and the Google Enterprise Support Portal will be updated with the patch as soon as it is available.

Creating new keys for Google Compute Engine may be a bit of a pain, but it's necessary. Google Search Appliance customers may be scratching their heads over the time it has taken for the company to deliver a patch.