Jump to content



Photo

Private keys taken from Heartbleed OpenSSL

heartbleed openssl

  • Please log in to reply
9 replies to this topic

#1 sinetheo

sinetheo

    Neowinian

  • 470 posts
  • Joined: 09-January 14

Posted 13 April 2014 - 20:06

At first only passwords were sniffed out by the heartbleed exploit. Now it appears private keys are being taken as well!

 

This means hackers can use forged certificates of bankofamerica.com, google.com, and other sites since they can sign their own certificate of authority with the stolen keys. This is bad even if the web servers are patched it means the keys must be remade as well. Lets hope GooglePlay store and others are not compromised as a change of private keys would make the store inacccessible on older phones too.

 

 private keys are being taken as well. 




#2 OP sinetheo

sinetheo

    Neowinian

  • 470 posts
  • Joined: 09-January 14

Posted 13 April 2014 - 21:14

... and a thousand cries from system administrators were heard with a UGGHH



#3 Praetor

Praetor

    ASCii / ANSi Designer

  • 2,690 posts
  • Joined: 05-June 02
  • Location: Lisbon
  • OS: Windows Eight dot One dot One 1!one

Posted 13 April 2014 - 21:22

source?



#4 OP sinetheo

sinetheo

    Neowinian

  • 470 posts
  • Joined: 09-January 14

Posted 13 April 2014 - 21:25

source?

 

I edited the link and it must deleted it.

 

http://arstechnica.c...new-data-shows/



#5 n_K

n_K

    Neowinian Senior

  • 5,366 posts
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 13 April 2014 - 21:33

Erm yes... This was common knowledge when the bug first got noticed and why it was so big, you can't do anything with the passwords you get through this method without the private key because you need the private key to decrypt them.

Plus it doesn't mean you can sign your own keys, they will be using signed web keys with a short expiration date, not the master signing keys which (for any half decent organisation) be stored on a completely separate (kudos for offline) server/PC. But yes, if you got a certificate pair from this method, you can successfully facilitate to pretend being that web host until the certificate expires (or is revoked if they go that method)



#6 OP sinetheo

sinetheo

    Neowinian

  • 470 posts
  • Joined: 09-January 14

Posted 13 April 2014 - 21:46

Erm yes... This was common knowledge when the bug first got noticed and why it was so big, you can't do anything with the passwords you get through this method without the private key because you need the private key to decrypt them.

Plus it doesn't mean you can sign your own keys, they will be using signed web keys with a short expiration date, not the master signing keys which (for any half decent organisation) be stored on a completely separate (kudos for offline) server/PC. But yes, if you got a certificate pair from this method, you can successfully facilitate to pretend being that web host until the certificate expires (or is revoked if they go that method)

 

But you can forge a certificate with the private keys and claim you bankofamerica.com as an example right?



#7 Raa

Raa

    Resident president

  • 12,545 posts
  • Joined: 03-April 02
  • Location: NSW, Australia

Posted 13 April 2014 - 22:56

Anyone affected knows they will have to revoke and reissue certificates, so anyone attempting to forge the website will get an invalid certificate (the old one).

 

Google was not affected IIRC.



#8 B0mberman

B0mberman

    Silence is the key to Wisdom

  • 5,179 posts
  • Joined: 25-June 07
  • Location: CPT
  • OS: Windows 8.1
  • Phone: Galaxy S2 CM

Posted 14 April 2014 - 01:18

:|



#9 Mur

Mur

    Design & Conquer

  • 61 posts
  • Joined: 04-April 14
  • Location: Canada
  • OS: Windows 8.1.1
  • Phone: iPhone 4s

Posted 14 April 2014 - 17:02

... and a thousand cries from system administrators were heard with a UGGHH

 

I was one of those "UGGHH's".



#10 n_K

n_K

    Neowinian Senior

  • 5,366 posts
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 15 April 2014 - 00:35

But you can forge a certificate with the private keys and claim you bankofamerica.com as an example right?

No, you can use the private and public key pair on your own webserver, and if you somehow managed to get clients connecting to it and thinking they were accessing the intended URL (which is a domain on the certificate) then it would pass without problems, and make it look like you were connected to the real site (assuming they didn't revoke the certificates)