back to article Sysadmins disposed of Heartbleed certs, but forgot to flush

Sysadmins' need for sleep and attempts to stop working at weekends have slowed down the response to Heartbleed, according to University of Maryland researchers – but more seriously, it's possible that a bunch of half-fixed websites retain some vulnerability to the bug. The problem, the researchers told the 2014 Internet …

Silver badge

Probably a vast majority of those certificates are used on other servers

I figure the reason why many sites haven't revoked the old certificates is that they aren't done replacing the old ones, like they may be used in DR sites or cloud services and they are waiting until those have been replaced before revoking the old certs. A lot of companies I've worked with wait until primary production has been proven to work for some time before the change can be made in DR.

After-all, it would be pretty stupid to revoke *then* issue new certificates since that would leave a time period in which no encryption is possible.

1
0
Slx
Silver badge

And that's only the well administered servers...

It'll be a while before your could safely say it's been dealt with.

0
0
Anonymous Coward

Re: It'll be a while before your could safely say it's been dealt with.

Possibly quite a long while. I've heard of production servers that won't be patched at all because the products running on them are well past EOL so the vendors aren't issuing patches for them. And apparently they can't find the money to move to a product that is being patched.

AC because even though I know I know so little, I still know too much.

1
0
Silver badge

Re: It'll be a while before your could safely say it's been dealt with.

I've seen them as well, AC.

0
0
Silver badge

Lazy?

"while sysadmins may have run in the necessary patches, they haven't gotten around to revoking the PKI certificates their sites had before the bug was discovered"

Suspect it's actually a concious decision to not replace certs. There was a realistic attack window, there was a paranoid attack window and in between there was statistical reality.

1
0

Certificate revocation

Revocation is of limited use anyway. It's up to the recipient to check for revocation, using a CRL (which may well be out of date) or OCSP (which drastically slows the connection process, and we can't have that, because I need to read inane Facebook updates or buy that shiny thing now now now).

I don't know how well recent browsers do, but at least as recently as 2011 they were terrible at checking for revoked certificates. And many people are still running old browsers.

The entire X.509 PKI system is an irreparably broken mess, but revocation stands out as especially broken, and stovepiped with unsuccessful attempts at patching the problem. (And this is an area where the PGP/GPG Web of Trust PKI doesn't do significantly better.)

PKI is a collection of hard problems, and we flunked this one.

1
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017