The Heartbleed OpenSSL bug just refuses to die. Now it looks as if the measures many web sites, including some belonging to Canadian provincial and federal governments, may still be at risk despite being “fixed.”
That’s according to a new study published last Friday by Internet services company Netcraft Ltd. The study claims that while websites patched vulnerable OpenSSL installations after Heartbleed was exposed early in April, replacing their SSL certificates and revoking the old ones, some actually re-used the same potentially compromised private key in the new certificate.
More than 30,000 affected certificates have been revoked and were reissued, but re-used the affected private key, the Netcraft study says. And the Canadian and Quebec governments are among those still at risk.
“The Canadian government ought to appreciate the risks posed by the Heartbleed bug more than others, particularly after the bug was exploited to steal social insurance numbers from the Canadian [sic] Revenue Agency,” Netcraft’s report says. “However, some parts of the Canadian government have made the mistake of reusing private keys while trying to mitigate the risks.”
Netcraft also singles out the Quebec Automobile Insurance Corporation, which licenses drivers in the province and provides personal injury insurance to the public. One of the agency’s websites at secure.saaq.gouv.qc.ca was issued a new SSL certificate in response to Heartbleed, Netcraft says, and the previous certificate was revoked on 29 April.
“The CRL revocation status listed the reason as ‘keyCompromise,’ but the issuing certificate authority nonetheless allowed the new certificate to be signed with the same private key,” Netcraft says. “This means the new certificate can also be impersonated by anyone who is in possession of the compromised key.”
The potential danger is compounded simply because many operators who re-used the potentially compromised private key may believe that they’ve fixed the problem.
“By reusing the same private key, a site that was affected by the Heartbleed bug still faces exactly the same risks as the those that have not yet replaced their SSL certificates — if the previous certificate had been compromised, then the stolen private key can still be used to impersonate the website’s new SSL certificate, even if the old certificate has been revoked,” Netcraft says. “Certificates that have been reissued with the same private key are easy to identify, as the new public key will also be identical to the old one.”
The company says that only 14 per cent of affected websites have followed all three required steps after patching Heartbleed; replacing their SSL certificates, revoking the old ones and making sure to use a different private key. Those who have done the first two steps but failed to change the private key could still be vulnerable to attacks.
A Computerworld article on the Netcraft report cites a post on Vivaldi.net that around 20 per cent of currently vulnerable servers may have made themselves vulnerable by replacing what were in fact healthy versions of OpenSSL with versions containing the Heartbleed bug.
“It is difficult to definitely say why this problem developed,” software developer Yngve Nysæter Pettersen wrote in the Vivaldi.net post. “One possibility is that all the media attention led concerned system administrators into believing their system was unsecure. This, perhaps combined with administrative pressure and a need to ‘do something,’ led them to upgrade an unaffected server to a newer, but still buggy version of the system, perhaps because the system variant had not yet been officially patched.”