trell

As a CEO of a digital identity and advanced authentication company this new exposed Heartbleed vulnerability is extremely concerning as it compromises the very fabric of what we all think of as security – Locks and keys!

If we are not confident our locks work properly, we don’t sleep at night…even worse if we think someone may have surreptitiously copied the key to our home.  At that point, we really worry, as we know some one is trying to do us harm… somewhere in between is the concern that our keys may have been copied, but we don’t know and there is no way to tell!

In all cases, the sane answer would be to have a trusted locksmith check our locks to ensure they are operating correctly, and if not, replace them and then change our keys to eliminate any risk that our keys may have been copied without our awareness.

This is exactly the problem we are now facing in our digital lives! In this case the broken lock is a digital lock called OpenSSL and the Key is a digital encryption key used in a digital certificate.

The bad thing here is, because the digital lock is broken, bad guys could have copied the key and now that they have the key, they can use it to unlock all the encrypted data used in a online session such as passwords, usernames, credit card numbers, or social security numbers, etc.  Virtually anything we are transmitting in an on-line session.

Hydrant ID Will Support Our Customers

Safe Form

In light of this serious vulnerability HydrantID will support our customers to help them determine if their systems are affected and ensure they have the information necessary to correct the problem.  In addition, we will provide the necessary certificate services to allow our customers to revoke and re-issue all potentially affected SSL certificates, immediately and at no cost.

In addition, at the customers request, we will verify the system(s) is no longer vulnerable to the Heartbleed bug and will provide a free web-seal attesting to our verification, including a verification that a new SSL certificate has been placed on the system.

Technical Background

Heartbleed-Symbol

The “heartbleed” vulnerability affects certain (OpenSSL 1.0.1 through 1.0.1f inclusive) versions of the open source OpenSSL cryptographic software library used in many web servers and software applications.  It is not a bug with the underlying Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols, but is related to a bug in the “heartbeat” function of the OpenSSL software, hence the name “heartbleed” vulnerability. Please see www.heartbleed.com for more information.

Because of the wide dispersion of OpenSSL and length of time in the wild (over two years) the bug represents a significant security risk to websites and users alike.

Remediation

Safe internetThe recommended fix for the bug is to upgrade to the latest patched version of Fixed OpenSSL.
Alternatively, downgrade to OpenSSL 1.0.0 or OpenSSL 0.9.8 which are not vulnerable to the heartbleed exploit.
A not-recommended fix is to recompile OpenSSL after removing the compromised heartbeat with the OPENSSL_NO_HEARTBEATS flag.

After the bug is fixed, it is critical to reissue all digital certificates with new cryptographic keys (“re-keying”) because there is the possibility that the encryption keys have been compromised. There is no way to detect if keys have been compromised, so assume that they have been compromised.

HydrantID will re-key any digital certificate at no charge.

After patching OpenSSL and rekeying all digital certificates, HydrantID recommends that all users be required to change their passwords. People tend to use the same password across a variety of websites. If one website is compromised, the user password may be compromised across all websites using that same password.

What still needs to be done

  1. We need our trusted digital providers to take this seriously and immediately verify that their systems are not vulnerable to heartbleed and have not been vulnerable in the past.
  2. We need full disclosure to their customers/users that they have done step one in both parts and;
  3. If they are, or have been vulnerable at any time, they need to confirm and disclose they have patched their systems and have revoked the existing keys and certificates and replaced them with new ones.

What can we do as users and consumers

  1. Users and consumers should change their passwords (and username if possible) once their digital provider has confirmed they have remediated the vulnerability and replaced the keys and certificates.   Users should select unique passwords on every website / digital providers.
  2. Look for (and demand) disclosure form our digital providers– unfortunately it’s hard for us as end users to know if our digital providers have been exposed to heartbleed. We need full disclosure on their vulnerability and remediation process so that we know what action to take and when with respect to changing our passwords and usernames. .
  3. Check that the digital certificate and keys have been replaced – it’s easy to see that a new certificate and encryption key has been created by clicking the lock icon in our browser and checking to see that the digital certificate was issued after April 9th 2014.
  4. Stay in touch with your digital provider.  They are working hard on their end.  You need to work on your end after they patch their systems and replace their digital certificates and keys to ensure you use good password practices.

Resources:

 

heartbleed wide

Heartbleed