4
2
Situation 1 (safe):
- Website was vulnerable to heartbleed and using a certificate not valid before 2012-10-21
- Website upgraded to an unvulnerable version of OpenSSL
- Website re-keyed and got a their certificate reissued, with with same not-valid-before date of 2012-10-21
- Today, when I inspect the site, I find it not vulnerable to heartbleed, and using a certificate with a not-valid-before date of 2012-10-21
Situation 2 (unsafe):
- Website was vulnerable to heartbleed and using a certificate not valid before 2012-10-21
- Website upgraded to an unvulnerable version of OpenSSL
- Today, when I inspect the site, I find it not vulnerable to heartbleed, and using a certificate with a not-valid-before date of 2012-10-21
As far as I understand things, these two situations are indistinguishable to me as an end user who has never visited the website in question before. What am I missing?
FYI, situation 1 is apparently the case for *.wikipedia.org. They said that's just the way Digicert reissues certificates.
I disagree - While this IS a security issue, it is also the type of issue of interest to Superuser users, and should remain here. – davidgo – 2014-04-10T07:01:16.237
We can keep this here. It's on topic for our scope too. If you don't get good answers within, say two days, then we can still migrate it over. – slhck – 2014-04-10T07:49:14.020
I don't think there actually is a way without knowing the serial number (which you can either compare with the current one or check for in the CRL [List of revoked certs]). – UKB – 2014-04-10T09:56:30.443
@UKB Thanks! If you're sure of that, could you write an answer? – None – 2014-04-10T14:43:16.250
@Articuno We actually created a website to track this as best as we could. We grabbed the certs to the top 1 million websites and check to see if they are still vulnerable, and if the cert has changes since we cached it. http://Heartbleedstatus.com ( I'm not sure it is actually an answer though, so let me know)
– Jacob – 2014-04-12T05:33:45.457@Jacob This is great. Once I realized this is what it would take, I wanted to do this, but didn't have the time or resources. Although, I don't see where the certificate information is being shown. Oh, nevermind.. I see it now. Perhaps make it clearer to users that they should check that other page and not just rely on the test of current vulnerability. – None – 2014-04-12T06:55:58.927
@Articuno Would you mind if I posted it as an answer? – Jacob – 2014-04-12T07:04:23.730
@Articuno: Bear in mind too that some services had private knowledge of Heartbleed before the public announcement, and those services will have revoked their old certs and issued new ones prior to the date of the public announcement. Cloudflare has explicitly said that they did this, and given that Google Security helped discover the bug in the first place, I am confident that Google did as well.
– Daniel Pryden – 2014-04-14T03:03:46.163@Jacob Yes, please. Although, I'd like this not to turn into a list of all the solutions like yours, so it would be good to also explain a bit about this ambiguity in the x.509 certificates. – None – 2014-04-14T15:56:52.150