http://arstechnica.com/security/2014/04/how-heartbleed-transformed-https-security-into-the-stuff-of-absurdist-theater/
By Dan Goodin
Ars Technica
April 21, 2014
If you want to protect yourself against the 500,000 or so HTTPS
certificates that may have been compromised by the catastrophic Heartbleed
bug, don't count on the revocation mechanism built-in to your browser. It
doesn't do what its creators designed it to do, and switching it on makes
you no more secure than leaving it off, one of the Internet's most
respected cryptography engineers said over the weekend.
For years, people have characterized the ineffectiveness of the online
certificate status protocol (OCSP) as Exhibit A in the case that the
Internet's secure sockets layer and transport layer security (TLS)
protocols are hopelessly broken. Until now, no one paid much attention.
The disclosure two weeks ago of the so-called Heartbleed bug in the
widely-used OpenSSL cryptography library has since transformed the
critical shortcoming into a major problem, the stuff of absurdist theater.
Security experts admonish administrators of all previously vulnerable
websites to revoke and reissue TLS certificates, even as they warn that
revocation checks in browsers do little to make end users safer and could
indeed weaken the security and reliability of the Internet if they were
made more effective.
Certificate revocation is the process of a browser or other application
performing an online lookup to confirm that a TLS certificate hasn't been
revoked. The futility of certificate revocation was most recently
discussed in a blog post published Saturday by Adam Langley, an engineer
who was writing on his own behalf but who also handles important
cryptography and security issues at Google. In the post, Langley recites a
litany of technical considerations that have long prevented real-time
online certificate revocations from thwarting attackers armed with
compromised certificates, even when the digital credentials have been
recalled. Some of the considerations include:
[...]
--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
