Admins scramble to plug giant OpenSSL security hole

Yesterday's revelations that several versions of the popular OpenSSL cryptographic library contain a serious vulnerability is emerging as a much larger problem than initially thought.

The Heartbleed security hole, caused by a programming mistake, means anyone can connect to a system running vulnerable versions of OpenSSL and read the content of their memory in 64 kilobyte chunks without raising suspicion.

This means usernames, passwords and actual communication can be captured - a problem that is magnified as OpenSSL is shipped globally as the default encryption mechanism with the popular Apache and nginx servers, which web metrics firm Netcraft estimates run on 52 and 14 percent of active web sites respectively.

Tools to test for the vulnerability exist and are available in the open, and users are scanning the internet, finding thousands of insecure sites.

iTnews tested one such tool (now taken down) which showed that several sites including security vendors like blogs.mcafee.com and ssltools.websecurity.symantec.com remain vulnerable.

Large providers such as Akamai, Cloudflare and Yahoo were contacted in advance by the OpenSSL developers before details of the vulnerability were published, to give them an opportunity to patch their systems.

Despite the heads up, some were slow to act. Security researcher Brian Krebs singled out Yahoo as being tardy to fix the OpenSSL bug:

I don't get why Yahoo wouldn't fix this OpenSSL bug earlier. Akamai, Cloudflare, others, seem to have gotten heads up in advance.

— briankrebs (@briankrebs) April 8, 2014

Malware analyst Mark Loman demonstrated that Yahoo's servers are vulnerable to the Heartbleed, and could reveal user credentials to anyone:

@yahoo your login servers are vulnerable for the OpenSSL #heartbleed attack, exposing usernames and plain passwords pic.twitter.com/v8kddiP0Yo

— Mark Loman (@markloman) April 8, 2014

As the vulnerability was introduced in OpenSSL as early as December 2011, and can be exploited unnoticed, simply replacing vulnerable versions of the crypto library with patched ones may not be sufficient.

Since there is no way of knowing if credentials such as private keys, passwords, authentication cookies and more have been captured, organisations may need to replace all of these.

This could prove to be a gargantuan task.

Akamai's Andy Ellis suggests that if a customer operates its own internal Certificate Authority (CA) and uses the Online Certificate Status Protocol (OCSP) to communicate revocation, such credentials should probably be replaced.

He warns, however, that this might not work.

"Check first: Most desktop browsers don't honour revocation anyway. Most CAs don't have the scalable infrastructure to support revocation lists with millions of entries," he said.

He also believes application developers should urgently consider whether or not to invalidate any login cookie issued, prior to patching the Heartbleed vulnerability.

The United States government Computer Emergency Readiness Team (US-CERT) issued an alert overnight about the Heartbleed vulnerability, warning that sensitive information may have been captured.

US-CERT also recommends that administrators implement Perfect Forward Secrecy, a protocol that prevents the large scale compromise of encrypted data even if a single encryption key has been captured, to mitigate against the attack.