Blog‎ > ‎

Heartbleed, essential things or misinformation?

posted Apr 11, 2014, 10:04 PM by Sami Lehtinen   [ updated Apr 21, 2014, 5:40 AM ]
Are my comments regarding Heardbleed, misinformation or is it essential? Because I think that many news miss the vital points and only focus on simple instructions which doesn't really cover what needs to be thought about.
  1. Why they say that sites should only renew their certificate? It doesn't make any sense at all. As far as I know sites should renew their private key, not only certificate.
    So what should be done instead of only renewing a certificate?
    Revoke the old certificate.
    Generate a new key pair- (Which of course includes a new private and public key)
    Request a new certificate request for new public key.
    Install new private key, public key and certificate to server.
  2. Because Heartbleed allowed getting any data, renewing all passwords on server and all encryption keys is also required. Like SSH keys to the server, other account passwords. If there are any third party integrations, API keys, traditional other login / password authentication information. Anything that might have been in the memory of the server, could have been leaked. - As example if your site got Facebook API keys it's possible that those have been leaking too. Cloud authentication keys/passwords for Amazon S3, Google Cloud Storage etc.
  3. When people are told to replace their password, why they aren't also told to replace their authentication cookies? Because I have seen that many sites do not properly reset authentication cookies even if you change the password. So changing password is like changing the public key, it still leaves possibility to abuse your account if they have the cookies, even if password has been changed. With some sites, it's actually quite hard to get that authentication cookie to properly replaced, even if deleted they just might place same 'this user logged in cookie', even if you're using different password now. Allowing continued access for the cookie owner.
I think it's pretty essential to fix all related deeper issues and not only focus on the very shallow surface layer of the issue.