Heartbleed and your web browser
There is a very nasty vulnerability known as Heartbleed that has been discovered within OpenSSL. While you may not be familiar with OpenSSL you are familiar with the hundreds of thousands of sites that use it to protect your passwords and encrypt your data. It is estimated to be implemented on a 1/3 of all secured webservers and it is used by sites like Yahoo, Imgur, and many others.
The vulnerability allows an attacker to gain plaintext chunks of text in 64k segments. These segments have been proven to expose visitor cookies, user passwords, and perhaps most worrisome the private keys of Web Server SSL Certs. In laymans terms that means I not only broke into your house but I changed the locks. (infosec folks please don’t take the analogy too far, I realize it is more akin to being able to spoof locks but I digress). Because of this potential key compromise Yahoo and many other companies are going through the process of revoking and regenerating their SSL certificates.
Why should you care?
If an attacker has gained the private key of a certificate they can then use that certificate to make themselves appear legitimate unless your web browser checks for certificate revocation. Chrome nor Firefox do this by default. (they should and I’m hopeful they will).
You can manually enable this feature and I would suggest that you do so. It is not a cure-all nor fool proof but the fall out from heartbleed is going to be significant and honestly this future should be enabled at all times.
How to change your browser settings:
Chrome – go to settings, click “Show Advanced” and find this setting
Firefox – settings, advanced, Validation, then check both boxes
IE – I believe these are on by default but to be sure, go to settings, advanced and find these settings
For further reading regarding Heartbleed:
- Everything you need to know about the Heartbleed web security flaw from GigaOm
- Heartbleed: Why the Internet’s Gaping Security Hole Is So Scary from Gizmodo
- Thoughts on Heartbleed Bug from HP Application Security Team