Slashdot Mirror

← Back to Stories (view on slashdot.org)

Private Keys Stolen Within Hours From Heartbleed OpenSSL Site

Posted by samzenpus on from the that-didn't-take-long dept.

Billly Gates (198444) writes "It was reported when heartbleed was discovered that only passwords would be at risk and private keys were still safe. Not anymore. Cloudfare launched the heartbleed challenge on a new server with the openSSL vulnerability and offered a prize to whoever could gain the private keys. Within hours several researchers and a hacker got in and got the private signing keys. Expect many forged certificates and other login attempts to banks and other popular websites in the coming weeks unless the browser makers and CA's revoke all the old keys and certificates."

31 of 151 comments (clear)

  1. Even root CA certificates may be at risk. by Z00L00K · · Score: 3, Insightful

    Be aware that even the root CA certificates can be at risk right now, and that can really cause problems.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    1. Re:Even root CA certificates may be at risk. by mlts · · Score: 4, Informative

      Depends. A website's SSL key may be slurped up. However, a root CA key should be either kept on an offline machine or kept in a hardware security module where the key won't be divulged, ever... the module will sign a key, and that's it.

      I'm sure some places will have their root CA on an externally connected machine, then try to place blame, likely saying how insecure UNIX is (when it isn't any particular flavor of UNIX that is at fault.)

    2. Re:Even root CA certificates may be at risk. by gweihir · · Score: 4, Funny

      That is BS. Nobody sane installs a root certificate on productive network-connected hardware, unless they are terminally stupid. Oh, wait...

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  2. https is dead by lougarou · · Score: 5, Funny

    For all practical purposes, https is dead. There is no way browsers will carry around the hundreds of thousands of possibly-stolen-so-unsafe certificates fingerprints (to consider these tainted/revoked). The only way forward is probably to move away to an incompatible protocol. And if possible, cure some of the X509 wrong ways.

    1. Re:https is dead by Anonymous Coward · · Score: 5, Insightful

      Nah, the browsers will just reset 'zero epoch' for SSL certificates they'll accept to ONLY accept certificates issued after some date post-exploit, and all major SSL vendors will likely reboot their intermediate keychains so there's only a handful of 'revocation' certificates that will actually be needed due to the tree-of-trust model: Anything in the chain gets revoked everything below it goes away.

      And yes, this means the folks that were Johnny on the Spot about reissuing their certs might have to re-issue them AGAIN due to fixing their issue so quickly, but that's honestly pretty minor compared to the huge swaths of forever-vulnerable sites that need to effectively have their SSL status revoked regardless of what they do or don't do.

      WolfWings, who hasn't logged into SlashDot in YEARS.

    2. Re:https is dead by jonwil · · Score: 3, Interesting

      The problem with replacing HTTPS is that you will need to maintain regular HTTPS for all those clients that cant upgrade to a newer browser. (which exposes web sites to these threats) And you have to convince browser and web server vendors to support the new HTTPS replacement.

      Google would probably do it (on desktop, ChromeOS, Android and its custom web/SSL server software) especially if it made it harder for the kind of man-in-the-middle-using-fake-certificates type attacks the NSA have been using (the ones that let the NSA serve up fake copies of popular web sites as a vector to infect other machines). Opera and others that use the Google rendering engine would probably use the Google support.

      Mozilla would probably do it if you could convince them that its not just going to be bloat that never gets used.

      Apache would probably support it via a mod_blah and if they dont, someone else would probably write one.

      Other FOSS browsers and servers (those that do HTTPS) would probably support it if someone wrote good patches.

      But good luck convincing commercial vendors like Microsoft and Apple to support a new protocol. And the Certificate Authorities would fight hard against anything that made them obsolete (which any new protocol really needs to do)

  3. Oh, man, what a mess by 93+Escort+Wagon · · Score: 3, Interesting

    I do have to wonder if the task was made easier given the purpose of the server. After all, I'd think it wouldn't get traffic at all except for those people responding to the challenge. But, still, this proved it's possible.

    So not only do those of us responsible for web servers need to generate new server certs for all of our servers... pretty much every current web server cert in existence also needs to be revoked. Are the CAs even willing/able to do something on that scale in a short amount of time?

    --
    #DeleteChrome
    1. Re:Oh, man, what a mess by sphealey · · Score: 4, Interesting

      From the linked site: "He sent at least 2.5 million requests over the course of the day." So, no rate limiters, anti-DDS protection, or other active countermeasures in operation. Reasonable for this challenge but not overly realistic.

      sPh

    2. Re:Oh, man, what a mess by heypete · · Score: 5, Insightful

      So not only do those of us responsible for web servers need to generate new server certs for all of our servers... pretty much every current web server cert in existence also needs to be revoked. Are the CAs even willing/able to do something on that scale in a short amount of time?

      Netcraft actually has an interesting article about that very situation.

      Obviously, the CAs don't really have a choice in the matter, but I can't imagine they really have capacity issues in regards to the actual revoking/signing as that's all automated. If things get crazy busy, they can always queue things -- for most admins it doesn't really matter if the new cert is issued immediately or after 15 minutes.

      Human-verified certs like org-verified and EV certs might have a bit of delays, but domain-validated certs should be quick to reissue.

      Of course, revocation checking for browsers is really bad. Ideally, all browsers would handle revocation checking in real-time using OCSP and all servers would have OCSP stapling enabled (this way the number of OCSP checks scales as the number of certs issued, not the number of end-users). Stapling would help reduce load on CA OCSP servers and enable certs to be verified even if one is using a network that blocks OCSP queries (e.g. you connect to a WiFi hotspot with an HTTPS-enabled captive portal that blocks internet traffic until you authenticate; without stapling there'd be no way to check the revocation status of the portal).

      Also, browsers should treat an OCSP failure as a show-stopper (though with the option for advanced users to continue anyway, similar to what happens with self-signed certificates).

      Sadly, that's basically the opposite of how things work now. Hopefully things will change in response to Heartbleed.

    3. Re:Oh, man, what a mess by mysidia · · Score: 5, Informative

      pretty much every current web server cert in existence also needs to be revoked. Are the CAs even willing/able to do something on that scale in a short amount of time?

      Calm down. A majority of web servers are not vulnerable and never were. All in all... less than 30% of SSL sites need to revoke any keys.

      Some websites are running with SSL crypto operations performed by a FIPS140-2 hardware security module; these are not vulnerable, since OpenSSL doesn't have access to the private key stored in the server's hardware crypto token.

      Many web sites are running on Windows IIS. None of these servers are vulnerable.

      Plenty of web sites are running under Apache with mod_nss, instead of mod_ssl. None of the websites using the LibNSS implementation of SSL are vulnerable.

      Many web sites are running on CentOS5 servers with Redhat's openssl 0.9.x packages. None of these servers were ever vulnerable.

      Many web sites are running on CentOS6 servers, that had not updated OpenSSL above 1.0.0. These websites weren't vulnerable.

      Many websites are running behind a SSL offload load-balancer; instead of using OpenSSL. Many of these sites were not vulnerable.

  4. Re:There are people that tust SSL-certificates??? by fuzzyfuzzyfungus · · Score: 3, Informative

    The bigger issue is that even people who don't trust the (braindead; but too convenient to die) "Hey! Let's just trust about 150 zillion different 'secure' Certificate Authorities and if they signed the cert and it matches the domain everything must be OK!" are still pretty screwed if whatever specific certificate or certificates they are using are now also in the hands of some unknown and probably malicious 3rd party...

    There's a pretty big difference between 'because the system is pretty stupid, you can generate a valid certificate for any domain by knocking over any one of an alarming number of shoddy and/or institutionally captured CAs' and 'your private key, yours specifically, can be remotely slurped out of your system and used to impersonate it exactly'.

  5. Re:I can't use cloudflare, connection is insecure by _Shad0w_ · · Score: 4, Informative

    Chrome turns the "check for revocation" option off by default, it seems.

    --

    Yeah, I had a sig once; I got bored of it.

  6. And the cry goes up from ten thousand admins, by SuricouRaven · · Score: 4, Funny

    Fuck.

    (Except here in the UK, we are more creative with our profanity.)

    1. Re:And the cry goes up from ten thousand admins, by John+Bokma · · Score: 3, Funny

      By Jove!

      --

      Perl Programmer for hire
    2. Re:And the cry goes up from ten thousand admins, by Virtucon · · Score: 3, Funny

      Bollocks!

      --
      Harrison's Postulate - "For every action there is an equal and opposite criticism"
    3. Re:And the cry goes up from ten thousand admins, by Teun · · Score: 4, Funny

      I say!

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
  7. Re:The CA should not revoke the certificates, by mysidia · · Score: 5, Insightful

    the user of the keys should do this. Would you want to pay for new certs even if you were not affected by heartbleed?

    It's within the CA's right, however, to scan the URLS certified by each certificate, test for Heartbleed vulnerability --- and automatically revoke, if they determine that the site is vulnerable.

  8. Re:I can't use cloudflare, connection is insecure by lgw · · Score: 5, Funny

    Internet Explorer for the win (my head asploded):

    There is a problem with this websiteâ(TM)s security certificate.

    This organization's certificate has been revoked.

    Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

    We recommend that you close this webpage and do not continue to this website.

    Click here to close this webpage.

    I feel like I've fallen into Bizarro world, where IE is the safe browser and IIS the safe server. Maybe I should grow a goatee?

    --
    Socialism: a lie told by totalitarians and believed by fools.
  9. Tools for checking by bobstreo · · Score: 3, Informative

    There are a couple tools available at:

    https://github.com/Lekensteyn/...

    It's python based so YMMV

    They will tell you if you are vulnerable (See the README.md file)

  10. Re:The CA should not revoke the certificates, by mwvdlee · · Score: 5, Insightful

    Which only tells us they're patched now, it doesn't tell them how much time the site was vulnerable.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  11. There is more where that came from by Anonymous Coward · · Score: 5, Interesting

    Coverity is a static analysis tool. It was tested on the source code with the Heartbleed vulnerability and did not find it. The developers of Coverity made a proof-of-concept modification to treat variables as tainted if they're subjected to endianess conversion, based on the assumption that such variables contain external and thus potentially hostile data. With this modification, Coverity finds the Heartbleed bug, as described in this blog post. Note the comment below the screenshot: "As you might guess, additional locations in OpenSSL are also flagged by this analysis, but it isn’t my place to share those here." This may just be a consequence of not detecting all ways in which a tainted variable is sanitized, or it may point to more problems.

    1. Re:There is more where that came from by InsaneLampshade · · Score: 4, Interesting

      They thought malloc was too slow. http://www.tedunangst.com/flak...

  12. Re:The CA should not revoke the certificates, by Anonymous Coward · · Score: 5, Funny

    Pff now you're telling me the CA has the authority to tell me which certificates are bad??

    Oh piss on that!

  13. Re:The CA should not revoke the certificates, by beelsebob · · Score: 5, Insightful

    Yes... That's the entire point of a CA, to certify that a person really is that person. If the certificate is bad, they can no longer make that certification, so it really really really is their job to do that. It is in fact their only job.

  14. Re:There are people that tust SSL-certificates??? by gweihir · · Score: 3, Insightful

    I am not sure it is a bigger issue, since many of these sites will not be publicly reachable. But it definitely is an issue foe example for large corporations that use SSL in their Intranet with self-signed certificates. They now have to wonder whether some of their staff has attacked their servers this way.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  15. Re:The CA should not revoke the certificates, by dcollins117 · · Score: 4, Funny

    Pff now you're telling me the CA has the authority to tell me which certificates are bad??

    If that is an issue, there is nothing stopping you, or anyone, from becoming their own Certifcate Authority. I've done this for my own sites, since I am at least 97% sure I am who I claim to be.

  16. Re:The CA should not revoke the certificates, by mellon · · Score: 5, Informative

    It doesn't matter who revokes the keys. Right now only Firefox and Chrome ever check for revoked certs, and Chrome at least has this disabled by default. If you are running iOS or Android, your browser doesn't check the CRL before trusting the cert. So it's great if web sites revoke certs, but it doesn't actually change anything on the end user side, for the most part. I'm not saying anything about Windows platforms because I don't have access to any; it's possible that they do support CRLs. You can check whether your browser supports CRLs by going to this test URL. If you don't get a warning from your browser, your browser isn't checking CRLs.

  17. Re:The CA should not revoke the certificates, by mhotchin · · Score: 4, Informative

    IE 11 (at least) works properly, right out of the box:

    There is a problem with this website’s security certificate.

    This organization's certificate has been revoked.
    Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
    We recommend that you close this webpage and do not continue to this website.
    Click here to close this webpage.

  18. Re:The CA should not revoke the certificates, by jopsen · · Score: 3

    Which only tells us they're patched now, it doesn't tell them how much time the site was vulnerable.

    There is probably still a great deal of unpatched openSSL deployments out there.. and it'll probably be a while before they're all patched (if ever)...

  19. Re:The CA should not revoke the certificates, by wed128 · · Score: 3, Interesting

    OK, then they should invalidate ALL certificates, test customers for the patch, give patched customers new certs, and refuse to give new certs to unpatched customers. It's their business to maintain a 'web of trust'.

  20. Re:The CA should not revoke the certificates, by parkinglot777 · · Score: 3, Interesting

    There is probably still a great deal of unpatched openSSL deployments out there..

    I think you miss the GP point. I believe the GP is saying that the site could have been exploited for a while and the damage has already been done. The check just tell us that the site has been patched but NOT tell us how much the damage is done to users. As a result, some users do not know that their username/password have already been stolen by the exploitation (which is not caused by the user). I doubt that there is a gray area allowed in security. Once the security is breached, there is no guarantee to say that everything is now fine after the fixed/patched.