Linked by Thom Holwerda on Tue 8th Apr 2014 22:06 UTC
Privacy, Security, Encryption

Heartbleed, a long-undiscovered bug in cryptographic software called OpenSSL that secures Web communications, may have left roughly two-thirds of the Web vulnerable to eavesdropping for the past two years. Heartbleed isn't your garden-variety vulnerability, so here's a quick guide to what it is, why it's so serious, and what you can do to keep your data safe.

Serious.

Permalink for comment 586756
To read all comments associated with this story, please click here.
RE: Comment by Gone fishing
by wigry on Wed 9th Apr 2014 10:53 UTC in reply to "Comment by Gone fishing"
wigry
Member since:
2008-10-09

Generating new key is not the problem. blacklisting the existing key is not the problem. Distributing the blacklists and making sure that EVERY application/appliance consults the blacklist before trusting the other party is the problem. There can be millions of keys that must be blacklisted. Perhaps it would be easier to blacklist the intermediate CA keys? But that would require all the previously generated keys to be regenerated. This is massive issue and many appliances use offline blacklists and might not have (easy) means to update the blacklist or might not have enough storage available to hold a list of two thirds of internet keys that have been blacklisted.

Also I've seen the programs where the CRL is not consulted due to performance requirements.

Therefore the man-in-the-middle attack has become every day reality where the stolen keys are used to create fake sites.

Edited 2014-04-09 10:54 UTC

Reply Parent Score: 4