Heartbleed: worse than previously thought

Heartbleed: worse than previously thought

April 14th, 2014 // 1:33 pm @

heartbleed-logoHeartbleed bug Cloudfare, a provider of CDN and other hosting-related services, issued a challenge to researchers to steal a server’s private key. Coloudfare created a server with OpenSSL installed on it.

Within hours of issuing the challenge on Friday April 11 2014, a software engineer retrieved the server’s private key. With the private key, an attacker can forge an SSL certificate – meaning that banks and other sites that use SSL are now far more vulnerable than was previously thought.

“The bad news is that [discovery] changes our recommendation from: reissue and revoke as a medium priority to reissue and revoke as a high priority,” wrote Matthew Prince, CEO of CloudFlare in an email.

Update: CBC reports that 900 SINs (Social Insurance Numbers) were stolen from the CRAs websites as a result of the Heartbleed bug.

Update 2: Akamai, a content distribution network that handles 1/3 of all internet traffic, reportedly fixed their servers to address Heartbleed. CNET reports nnew research released today shows that their fix did not actually work – SSL certificates served though Akamai are not yet secure. Akamai needs to fix the vulnerability, then have all of their clients reissue their SSL certificates, and then have all users change their passwords. Wow.

Reissue and revoke refers to SSL certificates which are issued by CAs. For example, if you run a website that uses SSL, you’d have an SSL certificate that includes a public and private key. Based on the Cloudfare challenge’s result, someone could have stolen your SSL certificate’s private key. The only way to continue to offer a secure connection to your users would be to revoke your SSL certificate and reissue.

Revoke and reissue an SSL certificate is easy – but it introduces extra load on the CA’s servers as users’ browsers validate their new certificate. Imagine this happening across millions of websites and millions of users attempt to establish an SSL connection – big slow-downs but better security…for now.

As for consumers, changing your password likely is not enough.


Category : Blog

Comments are closed.

Latest Posts

Testimonials

"Erik excels in roles that require technical creativity and innovation. He is one of the very few people for whom technology is a way of life. Staying abreast with the latest and the greatest comes naturally for him. I found him to be very meticulous about the smallest technical details on projects while maintaining sight of the greater goal. I found him to be a great mentor to junior technical resources and very good writer."

P Kumar

-