The Internet is broken – Please fix!

The true danger of Heartbleed – Non-revocation of certificates

The main threat around Heartbleed is that an intruder could view the private key of the certificate on a Web site, as openssl reveals an area of the running memory, which can contain the private key of the site. This private key is the thing that uniquely identifies the site to the user (as shown by the padlock in the URL window – such as in Figure 2). An organisation thus uses its private key to digitally sign something, and then the public key on the digital certificate is used to check this. This is the core of security on the Internet.

Last week I gave an interview with BBC Scotland, and I explained how an organisation could revoke their certificate when it was stolen, and I immediately went home and check my browser. The first one I checked was Google Chrome, and found that it didn’t revoke my certificate, so I was worried that I had said something which was incorrect. After searching the settings of the browser, I found that in Advanced Options (Figure 1) that the checking for certificate revocation was turned-off, by default. I honestly don’t understand this, as this is the core of Internet security, and is used where a malicious certificate has been generated, or where a key has been stolen. So, even if an organisation was to revoke their certificate, Google Chrome would not pick it up, so you’ve really got to wonder why Google have done this. The Internet is broken … and browsers may be to blame!

chromeFigure 1: Check for server certificate revocation

rbsFigure 2: Secure web communications

Full Interview

Here is the interview:

and here is a post of Heartbleed which identifies the problem. If you’re interested in understand digital certificates, please view this post.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s