In hearing about the Heartbleed vulnerability, I went to https://www.openssl.org/source/
to download the latest patch, but was quite surprised to find that the security certificate for that site has not been refreshed since the exploit was discovered ("not valid before" date is Tuesday, August 30, 2011 5:30:50 AM CT).
So, how can I be sure what I'm looking at is the true OpenSSL site and not an impostor who stole their certificate (even before the exploit was revealed).
In other words, I downloaded https://www.openssl.org/source/openssl-1.0.1g.tar.gz
, which that same site claims to have an MD5 of de62b43dfcd858e66a74bee1c834e959
, which it does, but is that the right fingerprint for that patch? Or am I downloading something malicious that has a new backdoor coded in it?
UPDATE: Following suggestion from @Lekensteyn, I verified that the PGP signature provided for that download was valid and signed by key 0xFA40E9E2
, which seems to be the key of Dr Stephen N Henson <steve@openssl.org>
(which the the website agrees with). But to be super-sure, I'm assuming I can't trust the website right now. What other ways can I get faith that the 0xFA40E9E2
key is the one that should be signing that release?
Does anyone have an OpenSSL download from the 0.9.8 branch (that was not compromised by Heartbleed and would be old enough to have been distributed before the exploit), that they can verify is signed by that same key?
Concern: I found this notice of an update to the OpenSSL website, just before the exploit was revealed (April 2), and the change to the site was to mark Dr. Henson's key as expired, and add 0xFA40E9E2
as his new key, but that key was created back in 2005? So it's a new key to identify Dr. Henson, but then that's the key they chose to sign this super-important patch to Heartbleed? Does that seem off to anyone?