Had a busy day today because of the recently publicised OpenSSL vulnerability (CVE-2014-0160). Existing private keys are no longer secure. I suppose closed systems still got its value.

Is GnuTLS better? Seems not. It’s not recommended and was even considered harmful.

Meanwhile it may be a good idea to review how SSL works. There is an excellent article on Digicert that describes this

So in order for heartbleed to successfully steal data, an attacker will need to

  • Steal the site’s private key
  • Steal the symmetric session key, decrypt it with the site private key
  • Tap into traffic streams between target server and target user
  • Decrypt captured traffic using the stolen session key

Extending this further, with a site’s private key, attacker can create a new certificate, set up a phishing site, steal the site’s DNS record using other techniques unrelated to heartbleed, and then impersonate the target systems.

If the attacker manages to compromise the CA’s certificate infrastructure, they can start making self-generated certificates and sign them using the stolen CA key.

This really makes SSL no longer a secure protocol. On the bright side, it’s not trivial to steal your data utilizing the heartbleed vulnerability.

References:

http://www.zdnet.com/gnutls-big-internal-bugs-few-real-world-problems-7000027041/

Leave a Comment