More on Heartbleed
This is an update to my earlier post.
Cloudflare is reporting that it’s very difficult, if not practically impossible, to steal SSL private keys with this attack.
Here’s the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data. Note that is not the same as saying it is impossible to use Heartbleed to get private keys. We do not yet feel comfortable saying that. However, if it is possible, it is at a minimum very hard. And, we have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible.
The reasoning is complicated, and I suggest people read the post. What I have heard from people who actually ran the attack against a various servers is that what you get is a huge variety of cruft, ranging from indecipherable binary to useless log messages to peoples’ passwords. The variability is huge.
This xkcd comic is a very good explanation of how the vulnerability works. And this post by Dan Kaminsky is worth reading.
I have a lot to say about the human aspects of this: auditing of open-source code, how the responsible disclosure process worked in this case, the ease with which anyone could weaponize this with just a few lines of script, how we explain vulnerabilities to the public—and the role that impressive logo played in the process—and our certificate issuance and revocation process. This may be a massive computer vulnerability, but all of the interesting aspects of it are human.
EDITED TO ADD (4/12): We have one example of someone successfully retrieving an SSL private key using Heartbleed. So it’s possible, but it seems to be much harder than we originally thought.
And we have a story where two anonymous sources have claimed that the NSA has been exploiting Heartbleed for two years.
EDITED TO ADD (4/12): Hijacking user sessions with Heartbleed. And a nice essay on the marketing and communications around the vulnerability
EDITED TO ADD (4/13): The US intelligence community has denied prior knowledge of Heatbleed. The statement is word-game free:
NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.
The statement also says:
Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.
Since when is “law enforcement need” included in that decision process? This national security exception to law and process is extending much too far into normal police work.
Another point. According to the original Bloomberg article:
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
Certainly a plausible statement. But if those millions didn’t discover something obvious like Heartbleed, shouldn’t we investigate them for incompetence?
Finally—not related to the NSA—this is good information on which sites are still vulnerable, including historical data.
Walter • April 11, 2014 1:26 PM
The problem is that this “attack” doesn’t leave traces (or, in real life, it’s very hard to find someone that would store all data served from their servers in some log). Even if it was hard to leak the private key, that doesn’t exclude the possibility that some other attack could make a server reboot (or perhaps using so much memory allocation that the server could swap something to the disk and read again in the upper memory) so that it would be easier to get such keys.