Experts Show Heartbleed Bug Can Be Exploited to Extract Private SSL Keys

Also, the NSA denies having known about Heartbleed for two years

By on April 12th, 2014 08:04 GMT

Ever since the existence of the Heartbleed bug came to light, security experts have been arguing about whether or not private SSL keys can be extracted. It turns out that, while it’s not easy, it can be done.

CloudFlare launched a challenge earlier this week, asking experts to prove that SSL keys can be obtained. Software engineer Fedor Indutny and Ilkka Mattila of NCSC-FL solved the challenge within 9 hours.

The Heartbleed bug affects a large number of Internet services. The OpenSSL vulnerability can be exploited by an attacker to “trick” a server into handing over sensitive information, including passwords and the contents of communications.

However, there has been some controversy regarding SSL private keys. A number of experts initially said it was very difficult – if not impossible – to obtain the data.

Now that experts have demonstrated that it can be done, companies must not only instruct their customers to change their passwords, but also revoke their private keys and issue new ones – all this after the Heartbleed vulnerability has been patched, of course.

Speaking to Softpedia, Incapsula Co-founder & Chief Business Officer Marc Gaffan has highlighted the fact, that although a patch is available, some systems might remain unpatched and vulnerable to attacks for months to come.

“Many organizations struggle with patch management, due to issues with skilled staff or documented processes. Whitehat Security’s latest annual study found the average time to resolution of serious security issues to be 193 days from first notification,” Gaffan explained.

He said Incapsula’s customers don’t have to worry about being impacted by the Heartbleed bug. The company issued new SSL certificates right from the start, just to be on the safe side.

“Incapsula’s approach changes all of that. Since a customer’s web applications are routed through our network, their vulnerability to Heartbleed attacks was eliminated as soon as we patched our worldwide network – just 12 hours after the vulnerability was announced. Incapsula took it a step further this week by issuing new SSL certificates for all of our customers so that they would have a new private key,” he added.

“While it may never be known who, if anyone, exploited Heartbleed between March 2012 and April 2014, our customers know that we have eliminated all known and potential risks for them using our cloud security service.”

Unfortunately, there are still a lot of certificates that should be revoked. In a report published on Friday, Netcraft revealed that only 30,000 of the over 500,000 SSL certificates affected by Heartbleed had been reissued. The number of revoked certificates is even smaller.

Since compromised SSL certificates can be used for spying, and since there can be no spying story without the US National Security Agency being somehow involved, Bloomberg published a report alleging that the NSA had known about Heartbleed for at least two years.

However, the Office of the Director of National Intelligence categorically denied the report.

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong,” reads the statement from the agency.

Comments

New details emerge on how the Heartbleed bug can be exploited
   New details emerge on how the Heartbleed bug can be exploited