OpenSSL & Heartbleed

Heartbleed (CVE-2014-0160) is a security bug in the open-source OpenSSL cryptography library. When it is exploited, it leads to the leak of memory contents from the server to the client and from the client to the server. This bug can expose private keys and other secrets to criminals on the Internet. What is so serious, is the long exposure, the ease of exploitation and that attacks leave no trace.

The encryption of signatures in the X.509 certificates can be bypassed. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. However, even doing this may still leave any traffic intercepted by the attacker in the past still vulnerable to decryption.

We can help with patching OpenSSL, replacing SSL certificates, and revoking the old certificates. We don’t use old keys and all new certificates, are signed with new keys. Our approach is to assume that all legacy keys have been compromised. Since there is no way to determine if a site or application which was vulnerable to the Heartbleed bug has been compromised, the prudent thing to do is assume it has, regardless of how unlikely this may seem.

Contact us now to help you understand how to mitigate this serious problem and secure your private keys against further attacks.