Summary
Due to a serious vulnerability in the openssl software we want the .no registrars to
- change their epp password
- change the password of all registrar web users connected to the registrar
- check the list of IP addresses registered
All this is done via the registrar web https://registrar.norid.no
Please do this before Monday 28 April 2014. Norid may close accounts and users (both epp and registrar web) that have not changed their password by this date.
More information
A serious vulnerability in openssl was discovered recently. The vulnerability may have been exploited for two years, but it is not possible to know whether this has happened.
Norid has currently no indications about any information leak from our systems.
See http://heartbleed.com and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 for more information.
All public services in the .no registry system use openssl, and were vulnerable. All servers were patched before noon local time 8 April 2014, and all services were restarted. They are thus no longer vulnerable.
In addition we have changed all SSL certificates, and will revoke the old ones. Registrars and users should not notice this, except by checking which date the certificate was issued.
We now want all registrars to change the password of their epp user account, and of all their users in registrarweb. All passwords are changed via the registrar web https://registrar.norid.no.
At the same time registrars should check that the list of IP addresses the registrar can log in from looks correct, in other words contains the IP addresses you mean you need.
If you see anything suspicious, please contact info@norid.no immediately.
Norid may close accounts and users that have not changed their password by Monday 28 April 2014.
Reminders will be sent out the week after Easter.
The information in this email is based upon what we know about this vulnerability per 10 April 2014. If we get new information that can indicate a more serious situation we may have to implement other measures at short notice.