http://arstechnica.com/security/2014/04/private-crypto-keys-are-accessible-to-heartbleed-hackers-new-data-shows/
By Megan Geuss
Ars Technica
April 12, 2014
Contrary to previous suspicions, it is possible for hackers exploiting the
catastrophic vulnerability dubbed Heartbleed to extract private encryption
keys from vulnerable websites, Web services firm Cloudflare reported
Saturday.
As recently as yesterday, Cloudflare published preliminary findings that
seemed to indicate that it would be difficult, if not impossible, to use
Heartbleed to get the vital key that essentially unlocks the secure
sockets layer padlock in millions of browsers. To be extra-sure,
Cloudflare launched "The Heartbleed Challenge" to see how other people
exploiting Heartbleed might fare. The company set up an nginx server
running a Heartbleed-vulnerable version of OpenSSL and invited the
Internet at large to steal its private key.
Just nine hours later, software engineer Fedor Indutny and Ilkka Mattila
at NCSC-FI had obtained the server's private keys using nothing but the
Heartbleed vulnerability. As of this writing, CloudFlare had confirmed a
total of four winners: Rubin Xu, a PhD student in the Security group of
Cambridge University, as well as security researcher Ben Murphy.
The results are a strong indication that merely updating servers to a
version of OpenSSL that's not vulnerable to Heartbleed isn't enough.
Because Heartbleed exploits don't by default show up in server logs,
there's no way for sites that were vulnerable to rule out the possibility
the private certificate key was plucked out of memory by hackers. Anyone
possessing the private key can use it to host an impostor site that is
virtually impossible for most end users to detect. Anyone visiting the
bogus site would see the same https prefix and padlock icon accompanying
the site's authentic server.
[...]
--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
