Choose any of these login options:

Rush to defend against Heartbleed leads to mistakes with certificates, patches - PC World

Peter Sayer


Despite taking prompt action to defend against the Heartbleed attack, some sites are no better off than before—and in some cases, they are much worse off.

Many of the sites that patched vulnerable OpenSSL installations after the Heartbleed attack was revealed on April 7 then went on to revoke compromised SSL certificates and order new ones. But 30,000 sites are now using replacements based on the same compromised private key as the old certificate, according to a study by Internet services company Netcraft released Friday.

That means that anyone who managed to steal the private key of such a server before it was patched could still use the key to impersonate the server in a man-in-the-middle attack, even with the new certificate in place.

The error is a dangerous one, because the operators of vulnerable servers are likely to believe they have taken all the steps necessary to protect their users, Netcraft warned.

Around 57 percent of sites vulnerable to the Heartbleed attack have so far neither revoked nor reissued their SSL certificates, Netcraft said. A further 21 percent have reissued certificates but not revoked the compromised ones. ...more





share on: Share it! Tweet it! Stumble it! Digg it! Email it!  |  Permalink  |  NeillsDeals in Technology | Comment on this
Reader Comments

Post a Comment
Author:
Email:
(Optional)
  
Reputation: 5608 (99.6%)
Social Influence:  
Member Since:  Aug 2012
Last activity: 11/23/17, 11:43 am