Heartbleed: the race to reissue security certificates
Heartbleed has web firms racing for new security certificates
The fallout from the OpenSSL Heartbleed bug continues, and one source of pain is reissuing security certificates.
Heartbleed allows hackers to read a small slice of memory, which may include keys to security certificates. And that's not only in theory: CloudFlare challenged security researchers to hack its certificates, suggesting it was unlikely to be achievable, only to have a developer succeed within hours.
Web firms have understandably been racing to revoke and reissue their security certificates, leaving certificate authorities (CAs) with a hefty pile of work. We spoke to Robin Alden, CTO of certificate-issuing firm Comodo, to find out more.
Q. How busy have you been over the last week?
A. Very! Our average renewal rates have gone up by a factor of between 15 and 20. Our peak rates - taking our busiest hour of the day - have gone up more than a factor of 30.
Q. What process are you going through to renew certificates for your customers?
A. We’ve been notifying all our customers about the Heartbleed vulnerability. We see the remediation process for Heartbleed as a multi-step process for our customers.
Comodo helps them identify if their server is vulnerable. If their server is accessible from the internet, as most of them are (that is usually the point of the exercise, after all), we ask them to use our Heartbleed site analyser.
This tells them if their server is susceptible to the Heartbleed vulnerability, and will also check for any other problems with their server configuration around the use of SSL. If they find their server isn’t vulnerable, it’s job done.
If their server is vulnerable to Heartbleed, the site operator gets the server upgraded to the latest version of server software. Almost all the server platforms have updates out right now which include a fix for the Heartbleed vulnerability. Some techie site operators who roll their own servers just need to update OpenSSL itself. Our support guys will help by advising our customers what it is they need to update.
They also need a replacement SSL certificate from Comodo. They can order that from their account with us online, or they can contact our support service if they get stuck (but the online process is quicker). When they have the certificate they should install it in place of the old certificate on their server.
Q. At what point is a certificate revoked?
A. When their site is up and running, patched to the latest version and with the new certificate installed, that’s the time they should ask us to ‘revoke’ the old certificate. Revocation is a kind of blacklisting mechanism for making a certificate untrusted, so that it couldn’t be used by an attacker if the private key had been stolen while the server was vulnerable.
The final thing to do, once their site is secure again, is for them to evaluate whether they need to tell their customers to change their access credentials, typically passwords. We recommend this final step because one of the regrettable things about this vulnerability is that you just can’t tell even by looking at web server logs whether or not an attacker has exploited it on your server before you got your server patched and upgraded.
Q. How much does a certificate normally cost?
A. A new certificate could cost from $50 up to hundreds of dollars. Comodo does not charge for issuing a replacement certificate during the lifetime of an existing certificate originally purchased from us. Some CAs do charge for replacement and/or revocation, but we feel that potentially this is a deterrent to site owners from taking the very best advice to keep their servers and their customers secure.
Q. Does the CA industry have the ability to reissue so many certificates in such a short period of time?
A. In general, yes, we do. Some of our ancillary systems have steam coming off them, but our tech teams love a challenge and our core systems can keep up this rate, and much higher, indefinitely.
As an industry, we can do it precisely because we are commercial organisations who do this as a business, and it is in our best interest to provide the very best in advice and product to our customers.
I know that the vast majority of our competitor CAs feel the same way. There are one or two out there looking to make a quick buck off the back of this Heartbleed incident, and I believe they will lose out in the longer term by doing so.