New Heartbleed Bug
Apr 26, 2014 | 7:37 am
#16
Join Date: Feb 2013
Location: Somewhere In The Five Eyes
Posts: 238
> There's no point in revoking a certificate if the system is still compromised.
Not necessarily. Because of HeartBleed, the CA's are contractually *obligated* to mass-revoke certs. At least then, users & sysadmins MIGHT notice that their connections are not secure. But the CA's are not doing what they are obligated to-do. Mass revocation would also motivate the lazy/clueless sysadmins into doing what they have not yet done.
The proper sequence of steps for *sysadmins*:
1) Patch OpenSSL and anything else that relies on it.
2) Generate/buy a new private key w/new certificate. Preferably an Extended Validation cert, as an EV cert will immediately benefit the iPad/iPhone users. Yes, EV certs are expensive. Yes, EV certs are a PITA.
3) Revoke the olde certificate to prevent it from being used fraudulently.
4) Force-expire ALL users & admin passwords.
Sadly; we're seeing more a lot more new certs being issued, than certs being revoked. This is a smoking gun that sysadmins are failing ... and unnecessarily exposing their users to fraudulent/clone sites that mimic their real site.
>> Certificate revocations don't work.
But they should work. The problem is multi-dimensional. I am profoundly disappointed that waaay too many browsers are not even trying to validate certificates. *ALL* the common browsers default to a soft-fail. i.e. If they cannot validate, they assume the cert is valid. <Gulp>
Shame on Google Chrome & Apple Safari. They do not allow users to change this default.
IE (all versions) allows the default to be changed; but it requires a Registry hack ... and there are other damn good cert validation problems that should disqualify IE from ever being used for secure ops.
At the moment; Firefox is the only browser that allows users to easily change this nutty default:
> Tools
>> Options
>>> Advanced
>>>> Certificates
>>>>> Validation
>>>>> Put a checkmark in the box: When an OCSP server connection fails, treat the certificate as invalid.
Re: OCSP; yes, it is a genuinely baaad design. Ergo my prior comment that certificate validation/revocation should be modeled along the lines of DNSsec.
Not necessarily. Because of HeartBleed, the CA's are contractually *obligated* to mass-revoke certs. At least then, users & sysadmins MIGHT notice that their connections are not secure. But the CA's are not doing what they are obligated to-do. Mass revocation would also motivate the lazy/clueless sysadmins into doing what they have not yet done.
The proper sequence of steps for *sysadmins*:
1) Patch OpenSSL and anything else that relies on it.
2) Generate/buy a new private key w/new certificate. Preferably an Extended Validation cert, as an EV cert will immediately benefit the iPad/iPhone users. Yes, EV certs are expensive. Yes, EV certs are a PITA.
3) Revoke the olde certificate to prevent it from being used fraudulently.
4) Force-expire ALL users & admin passwords.
Sadly; we're seeing more a lot more new certs being issued, than certs being revoked. This is a smoking gun that sysadmins are failing ... and unnecessarily exposing their users to fraudulent/clone sites that mimic their real site.
>> Certificate revocations don't work.
But they should work. The problem is multi-dimensional. I am profoundly disappointed that waaay too many browsers are not even trying to validate certificates. *ALL* the common browsers default to a soft-fail. i.e. If they cannot validate, they assume the cert is valid. <Gulp>
Shame on Google Chrome & Apple Safari. They do not allow users to change this default.
IE (all versions) allows the default to be changed; but it requires a Registry hack ... and there are other damn good cert validation problems that should disqualify IE from ever being used for secure ops.
At the moment; Firefox is the only browser that allows users to easily change this nutty default:
> Tools
>> Options
>>> Advanced
>>>> Certificates
>>>>> Validation
>>>>> Put a checkmark in the box: When an OCSP server connection fails, treat the certificate as invalid.
Re: OCSP; yes, it is a genuinely baaad design. Ergo my prior comment that certificate validation/revocation should be modeled along the lines of DNSsec.
Last edited by gqZJzU4vusf0Z2,$d7; Apr 27, 2014 at 11:37 am
May 3, 2014 | 9:12 pm
#17
Join Date: Dec 2010
Location: AUS
Posts: 277
Settings...Advanced Settings...Check for server certificate revocation
There's a lot of technicality, but in general, it may be silly to enable a feature that really just gives a false sense of security.
http://www.macworld.com/article/1165...es_online.html