Private keys taken from Heartbleed OpenSSL


Recommended Posts

At first only passwords were sniffed out by the heartbleed exploit. Now it appears private keys are being taken as well!

 

This means hackers can use forged certificates of bankofamerica.com, google.com, and other sites since they can sign their own certificate of authority with the stolen keys. This is bad even if the web servers are patched it means the keys must be remade as well. Lets hope GooglePlay store and others are not compromised as a change of private keys would make the store inacccessible on older phones too.

 

 private keys are being taken as well. 

Link to comment
Share on other sites

Erm yes... This was common knowledge when the bug first got noticed and why it was so big, you can't do anything with the passwords you get through this method without the private key because you need the private key to decrypt them.

Plus it doesn't mean you can sign your own keys, they will be using signed web keys with a short expiration date, not the master signing keys which (for any half decent organisation) be stored on a completely separate (kudos for offline) server/PC. But yes, if you got a certificate pair from this method, you can successfully facilitate to pretend being that web host until the certificate expires (or is revoked if they go that method)

Link to comment
Share on other sites

Erm yes... This was common knowledge when the bug first got noticed and why it was so big, you can't do anything with the passwords you get through this method without the private key because you need the private key to decrypt them.

Plus it doesn't mean you can sign your own keys, they will be using signed web keys with a short expiration date, not the master signing keys which (for any half decent organisation) be stored on a completely separate (kudos for offline) server/PC. But yes, if you got a certificate pair from this method, you can successfully facilitate to pretend being that web host until the certificate expires (or is revoked if they go that method)

 

But you can forge a certificate with the private keys and claim you bankofamerica.com as an example right?

Link to comment
Share on other sites

Anyone affected knows they will have to revoke and reissue certificates, so anyone attempting to forge the website will get an invalid certificate (the old one).

 

Google was not affected IIRC.

Link to comment
Share on other sites

But you can forge a certificate with the private keys and claim you bankofamerica.com as an example right?

No, you can use the private and public key pair on your own webserver, and if you somehow managed to get clients connecting to it and thinking they were accessing the intended URL (which is a domain on the certificate) then it would pass without problems, and make it look like you were connected to the real site (assuming they didn't revoke the certificates)

Link to comment
Share on other sites

This topic is now closed to further replies.