14 DAY TRIAL // The world’s big companies are failing to revoke their old security certificates despite the importance of such a step following the Heartbleed bug.
According to Netcraft, companies such as Yahoo, Facebook and LinkedIn have failed to revoke all of the certificates they reissued in response to the Heartbleed bug, which makes users susceptible to man-in-the-middle attacks.
When Heartbleed was exposed, about 17 percent of all SSL web servers were vulnerable to the bug. The vulnerability had been built into OpenSSL for about two years and it’s impossible to know if Heartbleed has been exploited or not since no traces are left behind on affected servers.
The bug made it possible for hackers to steal a server’s private keys, which allowed them to impersonate an affected website using its own SSL certificate. A good portion of the certificates that could have compromised were reissued, but a few of them have actually been revoked.
In fact, these old certificates are best to be revoked to make sure that everything is safe. This is most effective when the revocation is included in the Google CRLSets. Basically, those who haven’t taken these steps are still exposing their users to the vulnerability.
Yahoo, for instance, offered the Heartbleed TLS extension before the disclosure of the bug, but has now changed its certificate. The previous certificate used on login.yahoo.com, however, has not been revoked.
This means that if you use any of Yahoo’s tools, you could still be vulnerable to man-in-the-middle attacks until it is revoked.
Although, considering Yahoo’s many fail moments, no one’s really surprised by the slip, other sites are also making the same error. Twitter, LinkedIn, Facebook, Apple, FedEx, PayPal and American Express are all on the same list of services that have failed to take all the necessary steps and that have limited themselves to patching up the servers and reissuing a new certificate, while leaving the old one to rot or be used by ill-willed hackers.
The reasons that the old certificates have not yet been revoked can be many. On the one hand, some sites may believe this move to be useless, while others may not actually think this is necessary. There are also site admins that may want to wait a few weeks to make sure everything is ok with the new certificate, which involves delaying the revocation process for at least a little while.