For #1, “I reacted immediately” and “I reacted when the urgency became evident” are probably the same thing for most people. I heard about the bug 20 minutes after it was announced, from the Cloudflare blog of all places. Not even USN had posted about it. I patched my servers within an hour, and spent the next 5 hours waiting for my CA to respond to my revocation and re-key requests. Apparently they were inundated.
On the bright side, I prepared for security issues like this. I used multi-factor auth for our admin tools and perfect forward secrecy cipher suites for our TLS. Even with our private key, previously recorded traffic cannot be decrypted. And if an attacker got ahold of our passwords, they would still need to steal our YubiKeys to get access to our admin tools.
For #1, “I reacted immediately” and “I reacted when the urgency became evident” are probably the same thing for most people. I heard about the bug 20 minutes after it was announced, from the Cloudflare blog of all places. Not even USN had posted about it. I patched my servers within an hour, and spent the next 5 hours waiting for my CA to respond to my revocation and re-key requests. Apparently they were inundated.
On the bright side, I prepared for security issues like this. I used multi-factor auth for our admin tools and perfect forward secrecy cipher suites for our TLS. Even with our private key, previously recorded traffic cannot be decrypted. And if an attacker got ahold of our passwords, they would still need to steal our YubiKeys to get access to our admin tools.
Hooray for being paranoid about security.