How to mend a bleeding heart?
Over the past two days, the technology community has been focused on a recently discovered vulnerability in OpenSSL called the “Heartbleed Bug“. We were in touch with customers immediately after its discovery, but we also want to help address any additional concerns our customers, partners, and the general public have about this critical vulnerability.
What is the Heartbleed Bug?
According to Codenomicon, “The Heartbleed Bug (CVE-2014-0160) is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).”
In describing the scale of the bug, Ars Technica wrote, “[the] extremely critical defect resides in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data.”
How can the Heartbleed Bug be exploited?
Codenomicon explains, “The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
Why were some vendors/companies notified in advance about the vulnerability and others were not?
Based on what we know, the Heartbleed vulnerability was discovered in the OpenSSL code last week by three researchers at Codenomicon in Finland along with a researcher at Google. The plan was to fix the bug and then notify trusted web site operators before letting the public know about it.
Unfortunately, concerns that news of the security vulnerability in OpenSSL had leaked to hackers prompted OpenSSL to disclose the vulnerability to the public before they were able to notify the majority of Internet providers and large companies operating on the Web. As a result, most organizations were caught off guard by the announcement.
Are Verizon Digital Media Services’ systems patched?
Yes. All of our servers were patched and tested with a modified version of OpenSSL 1.0.1e with heartbeats disabled. We did this within a very short period of time, and all of our customers were notified as soon as that work was complete. We will also update all of our servers to OpenSSL 1.0.1g with the next release of our Sailfish platform.
Could this bug expose Verizon’s users to digital eavesdropping?
It’s unlikely. We employ Perfect Forward Secrecy, a technology supported by current versions of most popular browsers. If the browser you are using supports Perfect Forward Secrecy, then your TLS sessions are not vulnerable to eavesdropping. Even if someone were to steal a copy of one of our private SSL keys, it could not be used to decrypt past or future recorded TLS sessions.
While it is possible that exploitation of the bug to compromise private keys could expose us to man-in-the-middle attacks, those are much harder to carry out than mere eavesdropping.
Are you planning to revoke and reissue digital certificates?
We are replacing all of the certificates under our control. In fact, all of the certificates from our primary certificate authority (DigiCert) have already been re-issued. We will also be working with customers to proactively replace all customer-provided certificates as a precautionary measure.
Does the use of Verizon‘s Origin Shield reduce the vulnerability of customer origin servers to the Heartbleed Bug?
Yes. If the customer’s origin server is not publicly exposed, the risk of exploitation is substantially lower.
Do I need to change my Verizon control center (portal) password?
No. Our web portals are not affected by the Heartbleed Bug.
How can I tell if a web site is secured and no longer vulnerable?
A number of tools exist to test to determine whether a site has been patched. Some examples include:
- https://www.ssllabs.com/ssltest/ (Qualys)
What should I do once I verify that my origin server is no longer vulnerable?
- Force your end users to change their passwords
- Replace your existing SSL certificates
- Revoke your existing SSL certificates once new SSL certificates are issued and you have verified that the original SSL certificates are no longer in use.
[Editor’s note: this post was updated 4/14/14 to clarify our usage of Perfect Forward Secrecy.]