It seems like Heartbleed is going to be keeping infosec people busy for a while.
First, multiple people have succeeded in extracting the private signing keys of a website’s SSL certificate using Heartbleed. This is not good news, since it makes it possible for attackers to set up sites with phony baloney SSL certificates which look and act like the real McCoy. I think we’ll be seeing a lot of revoked and reissued certificates this week. Nobody is likely to be happy about this except for CAs, who stand to profit from this debacle (although, since they had nothing to do with causing the problem, can we blame them?)
Obviously, any site which was Heartbleed vulnerable needs to get new certs toot sweet. But what about sites which were not vulnerable? From a technical point of view, if you never ran one of the vulnerable versions of OpenSSL, you really don’t need to buy a new certificate. However, given the fact that Heartbleed was around for 2 years, site owners will have to think back to whether they were ever running vulnerable software in combination with their current certificates. Hope you had good version control on your site!
And its not just web servers we need to worry about. Other, non port 443 services like email, databases, directory services, APIs and the like also use OpenSSL to protect their communications in transit. We may be hearing about Heartbleed attacks on these services in the coming weeks and months.
And the good news just keeps on coming – there’s a lot of client and embedded device software out there running vulnerable OpenSSL code. At least one expert thinks that malicious servers can be set up to exploit clients and extract passwords and crypto keys from devices which connect to them. While Apple’s OS X and iOS products are Heartbleed-free, Android version 4.1.1 (said by Google to be in use on millions of devices) is vulnerable to the bug.
Finally, I think it is safe to assume that phishers are going to make the most of Heartbleed – fake “password reset” notices will be filling our inboxes, trying to make the most of Heartbleed hysteria to steal credentials in a low tech fashion.
So, expect Heartbleed related heartburn for the foreseeable future, folks…