SSL key change
This should not be visible to 99% of users but we’re letting you know just in case.
Due to a bug (CVE-2014-0160) found in the OpenSSL library, which is used by Derpibooru along with a huge chunk of the internet to do encryption (the S in HTTPS) we are assuming that the private keys associated with Derpibooru’s SSL service have been compromised.
Private key compromise is a serious thing - it allows an attacker to decrypt all traffic to and from a site, and impersonate a site.
In all likelihood, the private keys for Derpibooru haven’t been stolen using this attack, but as we cannot rule this out we are erring on the side of caution and replacing all our key material, discarding and revoking all keys used before we patched this bug. This means that the SSL keys that Derpibooru uses to encrypt your traffic will be changed. This should not be a visible change, and will be done later today. Clients seeing or caching the old certificate that also perform online certificate revocation checks will be told the certificate has been revoked, and clients specifically checking for the existing key fingerprint will need updating. This should not impact typical end users.
We take your privacy seriously, with SSL required for private user operations and encouraged across the site, though not absolutely mandatory. Not only that, we use high-grade SSL with robust perfect forward secrecy. Compromise of keys could potentially result in compromise of user data which is not acceptable to us, hence this change.