The rush to revoke and replace digital certificates on Heartbleed-vulnerable Web servers seems to be no rush at all.
Internet research and security services firm Netcraft reports today that of the more than 500,000 servers it knows of that are running vulnerable versions of OpenSSL, only 80,000 certificates have been revoked so far. The urgency to do so was ramped up on Friday when four unrelated security researchers each were able to take advantage of the TLS heartbeat vulnerability to steal private SSL keys in a challenge set up by vendor CloudFlare.
Also, the first public reports of exploits against websites resulting in stolen data were reported against the Canada Revenue Agency and Mumsnet of the U.K.
“While some companies quickly recognized the need to issue new certificates in response to the Heartbleed bug, the number of revocations has not kept up,” wrote Paul Mutton. “This is a mistake, as there is little point issuing a new certificate if an attacker is still able to impersonate a website with the old one.”
Heartbleed is a dangerous Internet-wide bug that can be exploited to steal sensitive information such as user credentials, and also private encryption keys if the attack is replayed often enough. One researcher in the CloudFlare Challenge, Russian Fedor Indutny, replayed his attack 2.5 million times before he was able to steal a key from a nginx server running an unpatched instance of OpenSSL set up by CloudFlare.
Researchers had speculated it was incredibly difficult and unlikely to steal private keys by exploiting Heartbleed, but that was proven incorrect as by Saturday morning there were four reported winners of the challenge, including Indutny who was the first. Making matters more challenging is that Heartbleed attacks do not leave a log entry, for example, and are undetectable.
The process of revoking old certificates and reissuing new ones involves working closely with a certificate authority, many of which offer self-service tools or APIs that help facilitate the process. The problem is that the wonky code was introduced into OpenSSL in December 2011 and there have been public reports that it has been exploited as far back as last November.
“You have to get your infrastructure patched so that any future damage will not be incurred because of the vulnerability, and the second priority is replacing or reissuing certificates to mitigate the risk from private keys stolen while the vulnerability existed in the wild,” said Marc Gaffan, cofounder of Incapsula. Users, for example, should make sure that sites on which they’re changing credentials have been patched, otherwise an attacker could continue to exploit an unpatched site stealing new credentials in the process.
Netcraft, meanwhile, estimates the cost of replacing compromised certs with new ones at more than $100 million; some CAs, however, are allowing customers to reissue and revoke certificates free of charge, Netcraft said. It points out also that many sites are buying new certificates rather than reissuing.
“Perhaps in the haste of resolving the problem, this seemed the easiest approach, making Heartbleed a bonanza for certificate authorities,” Mutton said.
Netcraft also points out that some companies—including large sites such as Yahoo’s mobile log-in page, the U.S. Senate large file transfer system, and GeoTrust’s SSL Toolbox—have deployed new certs but have yet to revoke old ones. Some of those not yet on a Certificate Revocation List are still sending OCSP responses that those certificates are “good,” Netcraft said.
Revocation may not help in some cases, Netcraft cautions, saying that four percent do not specify a URL for an OCSP responder and can only be revoked through a CRL.
“This makes the certificates effectively irrevocable in some browsers — for example, the latest version of Mozilla Firefox no longer uses CRLs at all (previously it would fall back to checking a CRL if an OCSP request failed, but only for Extended Validation certificates),” Mutton said.
There are still other certificates, Netcraft said, that may have been compromised and do specify either a OCSP or CRL address and cannot be revoked until they expire.
“These certificates are therefore completely irrevocable in all browsers and could be impersonated until their natural expiry dates if an attacker has already compromised the private keys,” Mutton said.