CAcert Members Report 2014
Below is the report of the CAcert association members to itself. Please write about how you have contributed to CAcert over the year 2013-2014. (Editors note - please place in alphabetical order)
BenBE, Eva, Magu
(All times in this report are CEST times, as nearly all affected persons were in this time zone.)
During the early hours of 2014-04-08 there was some special activity done by various core members at CAcert. More or less the same people were active until about 2014-04-09 10:45 CEST, when the needed actions to contain, analyse and inform about the issue were completed.
In the late hours of 2014-04-07 early indications of an upcoming issue report arrived on Twitter originating from well-known cryptographers. Those reports were followed closely by various members of the community.
About one hour before Golem (well-known German IT magazine and the first report with broader reach) first reported on Heartbleed, the first indications that something was up in this regard reach CAcert mailing lists. 10 minutes before the report, it was already confirmed, that neither the webdb nor the signer were vulnerable to the bug by critical team. About 15 minutes after the report, other CAcert core personnel got aware that there really could be something up with OpenSSL and emergency action was required.
About 3 hours after the report (in the middle of the night on a working day), the issue was seriously discussed between members of different CAcert teams.
Half an hour later, coordination on upgrading and fixing the affected non-critical systems had begun and the first systems received the patched OpenSSL version once it became available through the distribution update mechanism. Meanwhile also a strategy to inform the users was set. It was decided, that the information should be about how CAcert was affected and - more important - how members could be affected and what steps would be needed in this case.
At 2014-04-08 07:00 CEST one of the CAcert.org core members had to leave for normal day work and only joined at the next day. During the remainder of the day (till finally falling asleep after being awake for 36 hours) he coordinated the same processes at work once again. Due to lack of sleep for most of the regular attendants, the regular telephone conference of the Software Team on Tuesdays was skipped.
At 2014-04-08 8:50 CEST - 8:30h after the Golem report - the following was already done
- The risks for the critical and non-critical systems were analysed
- The most relevant systems fixed (and had received upgraded certs)
- An informative blog post was published
- A tweet was sent out
- A completely documented arbitration ruling given, to inform members per automated mail, if they had subscribed to general announcements or were likely to have been affected by the bug
- The main CAcert mailing list was informed
In the process members of the following teams had been involved:
- Critical Administrators
- Software Developement and Assessment
- CAcert Organisation Adminstrators
The following teams were informed (enough to be able to react)
- Infrastructure (remaining parts)
- CAcert Inc. Board
- Support (with additoinal warnings and instructions)
The responding team was as transparent as possible with the tools they selected to coordinate and invited more people to participate, especially regarding the formulation for the mail to be sent to the members.
At this time more or less everybody involved had left to go to their regular work - and probably had to do just the same thing there once again ;-)
During the next night, the work on the automated mail (and the few remaining points on the infrastructure site) were picked up, when people returned from their work. This was relatively slow, as people had missed a lot of sleep and dropped in and out to recover at least a little bit.
The work of the night was two-fold again. A script for sending the announcement mail had to be created, reviewed and tested and the text to be send by the mail had to be provided. This was done in English and German. The German translation was included as most of the members of the responding team were German-speaking and a huge base of our members comes from those regions (DE, AT, CH) too. It was only send to those members in addition to the English version.
At 2014-04-09 in the evening the CAcert.org Organisation Admin re-joined the team by assisting with reissuing the remaining certificates that had to be switched for new ones. By this time most certificates had already been switched by our other CAcert.org orginisation admins.
Another person counted 9 hours sleep at Friday morning for the complete week and was forbidden to follow the plans for the weekend from friends and send to bed instead or at least to less demanding activities.
At 2014-04-09 10:45 the automated mail-sending started. At this time, most of the people involved were back at work, again.
After the blog was posted and during the next days a lot of positive feedback from outside reached CAcert (heise.de forum, Twitter, various blogs, ...). It was positively remarked, that CAcert was the only CA that reacted as fast and openly (most other CAs never announced publicly anything about Heartbleed, some of them even requiring fees to revoke/renew certificates). Besides of that the content of the blog and mails was praised to be exactly what was needed to help people and to estimate the dangers.
At the next board meeting, the Heartbleed action was discussed and a motion was issued that the team should be thanked for their work m20140413.3. One of the board members however commented that it should be noted that even as the action was fast, the English was terrible which should be noted, as well. (NOTE by responding team: The German of said mails was probably even worse). The only public discussion that was seen afterwards by board - on the open board mailing list - was only about the bad quality of the English. The board motion was never executed. No thanks from board reached the acting members.
The public documentation can be found here (WiP - Link may change in the future)
We'd like to thank the rest of the spontaneous emergency response team and the great atmosphere during those busy (somewhat fuzzy) hours.
BenBE (Software Developement and Assessment, Infrastructure, CAcert Organisation Admin, PR)
Eva (Arbitration, Software Tests, PR)
Magu (Infrsastructure, Arbitration, Software Tests, PR)