Heartbleed and Certificate Authorities

The best place to start, as usual, is with Ars Technica. The take away: the private keys need to be regenerated too.

But what really caught my attention was the first two promoted comments on the Yahoo mail story. In particular this comment makes far too much sense.1 All of the old certificates (even after sites put new certs in place) can be used for man-in-the-middle impersonation.2

IMO SSL/TLS is now completely broken. The number of potential certificates that have been exploited and that could now be used for man in the middle attacks could be in the millions….. the list of black listed certificates will be in the millions and/or the number of blacklisted sub certficate authorities is probably going to be 10,000+.

Christina Warren has a very nice overview of the common sites impacted by Heartbleed. It’s surprising and heartwarming that none of the major banks were compromised by this defect. Either they don’t use OpenSSL or they never updated it.

  1. I know, I know. Having comments on a site is worse than putting Mein Kampf in the footer. I still like most comments and Ars has some great stuff down there in the gutter. ↩︎

  2. Funny that Bruce Schneier has the same 1 to 11 scale. The comments on his post are worth reading too. ↩︎