Heartbleed Hanging On
More than a month has past since the disclosure of the Heartbleed vulnerability and it is still making the rounds in the news. Even though it presents a serious security issue to Internet communication there are still a good number of servers and services that haven't been fixed. There is also evidence that a good portion of remediation efforts have fallen short and are insufficient to protect against and resolve the issues created by Heartbleed.
The problem is that people are reissuing certificates using the same private key. If this is done, a server that was affected by Heartbleed faces the same risks as before the certificate was replaced. Without changing the private key the reissued certificate will be identical to the old one. To find out if you are in this situation, just compare the new/reissued certificate to the old one. If they are exactly the same you need to go through the process of generating a new certificate again.
As a word of caution for all those that haven't yet responded to Heartbleed, it is good practice to assume your private key has been compromised, even if there isn't any evidence of compromise. According to the Browser Forum's Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, a private key should be considered "compromised" whenever a practical technique to discover its value exists. In other words, the existence of Heartbleed is enough to consider your key compromised and you should take proper steps to protest your systems.
To properly remediate the Heartbleed vulnerability follow the steps below:
- Update OpenSS to 1.0.1g or higher
- Generate a new private key
- Request a new certificate from your CA using the new private key
- Revoke your old certificate
Looking at the numbers1 here is how things break down in the clean up efforts:
- 53% Have done nothing
- 42% Have reissued their compromised certificate
- 21% Reissued certificate with new private key but haven't revoked the old certificate
- 7% Reissued certificate using the same private key
- 5% Revoked old certificate but reissued using the same private key
- 2% Reissued using the same private key only
- 20% Revoked old certificate
- 1% Revoked the certificate but haven't reissued it
- 14% Revoked the old certificate and reissued a new one using a new private key
Only 14% have done all the steps necessary to fix the issues of a compromised certificate. Those in the other categories, especially those using the same private key are still exposed and at risk of being compromised With a vulnerability as critical as Heartbleed it is crucial to respond quickly and with the proper steps. I'm sure the issues related to Heartbleed will hang around for quite some time. Hopefully people keep talking about it so those that haven't taken action will see the need and do something about it.