PKI Blog

Where Does My Heartbleed Now?

Posted by Chris Hickman on Apr 15, 2014 6:00:29 AM

Vulnerabilities tend to morph over time. Upon initial identification, researchers, companies, and experts tend to rush to offer opinions, sometimes factual and sometimes less so.

Read More

Topics: Heartbleed, private key ssl, expired digital certificate, Public Key Infrastructure, Certificate Management System (CMS), Industry Trends, private keys, OpenSSL, Heartbleed vulnerability, private key, SSL certificate, Azure PKI, PKI, PKI as a Service (PKIaaS), heartbleed bug, SSL bug, private key heartbleed, Heartbleed android, Blog, private keys vulnerable

Publicly Trusted versus Trustworthy SSL Certificates

Posted by Wayne Harris on Apr 11, 2014 10:52:23 AM

In the wake of the Heartbleed bug, many are faced with the daunting (and expensive) prospect of replacing the SSL certificates on those vulnerable systems. This is due to the possibility that the private keys of exposed SSL certificates may or may not have been compromised. In the end, since there is no way to know for sure if your private keys have been compromised, many are opting to replace the SSL certificates of the affected system(s).

Read More

Topics: SSL certificates, cert, certificate, IT Security, Microsoft Security Partner, Heartbleed, expired digital certificate, Public Key Infrastructure, Certificate Management System (CMS), Industry Trends, OpenSSL, Microsoft Public Key Infrastructure, Azure PKI, PKI, PKI as a Service (PKIaaS), heartbleed bug, SSL PKI, Blog

Heartbleed Vulnerability: What You Need to Know

Posted by Wayne Harris on Apr 9, 2014 10:56:36 AM

On April 7, 2014 a severe vulnerability called “Heartbleed” was announced. Heartbleed is a vulnerability within the OpenSSL 1.0.1 series software that is described in the NIST CVE-2014-0160 announcement. In short, this vulnerability allows hackers access to portions of a vulnerable system’s memory, leading to the potential exposure of passwords, sensitive data, and certificate private keys on affected systems. Heartbleed accomplishes this by exploiting a weakness in the “TLS Heartbeat Extension,” exposing server memory. Even worse, this heartbeat attack can be repeated without the awareness of the victim, and each iteration reveals another 64k snapshot of memory to the attacker. This very serious vulnerability exposes the most sensitive data of affected systems.

The good news: the vulnerability has a patch. However, the widespread adoption of the OpenSSL 1.0.1 series software, coupled with the two years that this vulnerability has existed, means that the risks attributable to Heartbleed are enormous. Current estimates predict that over 500,000 systems may be vulnerable. Specifically, the Heartbleed vulnerability affects those systems that use OpenSSL 1.0.1 (a-f). Unfortunately, since this software is so widely implemented, many popular OS platforms are affected and thus vulnerable. I would suggest visiting the CERT Web Site for a more list of affected platforms. It is worth mentioning that this is a developing story, and as such, the list of affected platforms is likely to change.

Read More

Topics: 64k, Heartbleed SSL, Heartbleed, expired digital certificate, Public Key Infrastructure, Certificate Management System (CMS), Industry Trends, SSL vulnerability, OpenSSL, Heartbleed vulnerability, TLS Heartbeat Extension, Azure PKI, PKI as a Service (PKIaaS), NIST CVE-2014-0160, heartbleed bug, Internet of Things, Blog, heartbleed help

Recent Posts

Posts by Topic

see all

Subscribe to Email Updates

Want to Learn more about CSS?