The true danger of Heartbleed – Non-revocation of certificates
The main threat around Heartbleed is that an intruder could view the private key of the certificate on a Web site, as openssl reveals an area of the running memory, which can contain the private key of the site. This private key is the thing that uniquely identifies the site to the user (as shown by the padlock in the URL window – such as in Figure 2). An organisation thus uses its private key to digitally sign something, and then the public key on the digital certificate is used to check this. This is the core of security on the Internet.
Last week I gave an interview with BBC Scotland, and I explained how an organisation could revoke their certificate when it was stolen, and I immediately went home and check my browser. The first one I checked was Google Chrome, and found that it didn’t revoke my certificate, so I was worried that I had said something which was incorrect. After searching the settings of the browser, I found that in Advanced Options (Figure 1) that the checking for certificate revocation was turned-off, by default. I honestly don’t understand this, as this is the core of Internet security, and is used where a malicious certificate has been generated, or where a key has been stolen. So, even if an organisation was to revoke their certificate, Google Chrome would not pick it up, so you’ve really got to wonder why Google have done this. The Internet is broken … and browsers may be to blame!
Figure 1: Check for server certificate revocation
Figure 2: Secure web communications
Full Interview
Here is the interview:
and here is a post of Heartbleed which identifies the problem. If you’re interested in understand digital certificates, please view this post.
billatnapier 