Snippet: An SSL vulnerability! Again. Of all the things that can go wrong with secure communications on the Internet, a bug inside one of the most widespread SSL libraries, OpenSSL, is definitely one of the worst. Officially referenced as CVE-2014-0160, the bug is aptly nicknamed “Heartbleed,” since it was discovered inside an OpenSSL heartbeat feature.

An SSL vulnerability! Again. Of all the things that can go wrong with secure communications on the Internet, a bug inside one of the most widespread SSL libraries, OpenSSL, is definitely one of the worst. Officially referenced as CVE-2014-0160, the bug is aptly nicknamed “Heartbleed,” since it was discovered inside an OpenSSL heartbeat feature. It allows attackers to read a random 64KB block of memory from your server. As many times as they want. Without any trace of it in your logs.

Why is this bad? Well, apart from information like usernames and passwords that might temporarily sit in your server’s random access memory, Heartbleed may also leak the private key that corresponds to your server’s digital certificate (which proves to any party connecting to you that you’re really who you purport to be). At that point, it’s pretty much game over. Any adversary could then mount a simple MITM attack using Moxie’s sslsniff, given the right network vantage point. Public Internet access points, where everyone sits on the same layer 2 network, would make this particularly easy when combined with a tool such as ettercap.

You can test if your server is vulnerable here. But, if you’re running an Apache SSL web server, chances of vulnerability are high. (The positive? When last did someone congratulate you for running that web server on IIS 6?!)

In case of vulnerability, rekey your SSL certificate immediately, and get it re-signed by your CA – a pretty straightforward, albeit tedious process. Active sessions should be timed out and, if your service relies on usernames and passwords only (what, no multi-factor?), have all your users change their passwords immediately. Please also get your certificate authority to REVOKE your current (possibly compromised) SSL certificate – this isn’t mentioned in most of the posts I’ve read about the issue, but is absolutely crucial.

Now, for myself and Entersekt’s customers, the really important part: did Heartbleed affect our authentication platform? 

Absolutely not. Our technology is not reliant on these standard libraries. The certificates in use with our products do not have to be renewed or rekeyed because they could not have been compromised. Users of our multi-factor authentication solutions can rest easy. Congrats!

Subscribe to our blog.


Christiaan Brand

FORMER CTO

Tags

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.