
Preventing Disaster from Potential Security Bugs like Heartbleed - samlanning
http://samlanning.com/2014/04/08/preventing-damage-from-potential-security-bugs-like-heartbleed/
======
patio11
In addition to grabbing the private keys of the server, they can also grab
anything that the server process happened to have in memory.

Among _many_ other things, do you think your web server sees cookies? Yes,
clearly, right? So do you think the server sees session IDs? Yes, clearly. So
any session created in the last 2 years is presumed compromised. This is
undergoing _active exploitation_ at at least one Bitcoin exchange -- somebody
came up with a list of session IDs and copy/pasta'd the cookies into their
Firefox to check their balances. Checking balances: not nearly the most
interesting thing you can accomplish after logging in as someone.

Not enough fun yet? Does your web server see page content? So any page content
created in the last 2 years...

~~~
samlanning
Yes of course.

However by far the worst part of it is the private key leakage. With that, all
the other stuff it sees in memory that is sensitive is probably being
transmitted over the wire anyway. Which means that is can be MITM'd. Granted
that is a lot more work than just examining memory...

If you plug that hole with a system like this, a website owner could just
expire sessions and require people to log in again. In addition, the sessions
for the past 2 years wont be at risk, only the active sessions used that day.

In short, short-lived certificates will dramatically reduce the damage, not
prevent all damage.

EDIT: Sorry I realised that you were just adding to the list of consequences
to this bug, not arguing the mitigations I mention would be useless! =)

------
peterwwillis
This proposal has nothing to do with the current vuln. Heartbleed lets you use
the negotiation/handshake to read _all the memory on the server_. It has
nothing to do with certs at all. Revoking a cert just means you're closing the
exposure after the fact; it's not really preventing disaster, more like
mopping up after it.

~~~
samlanning
Hi Peter,

The point of the article was more saying that revoking certs is not
sufficient, and we need better procedures in place to prevent disaster when
problems of this nature occur.

------
samlanning
I have updated the article to add some clarifications in response to the
comments posted here.

