Heartbleed roundup
April 20, 2014  

In an apparently non-ironic post, Schneier, who said of Heartbleed, “On the scale of 1 to 10, this is an 11,” calls this story a “crazy overreaction”:

A 19-year-old man was caught on camera urinating in a reservoir that holds Portland’s drinking water Wednesday, according to city officials.

Now the city must drain 38 million gallons of water from Reservoir 5 at Mount Tabor Park in southeast Portland.

Meanwhile, CloudFlare reports that

Globalsign, who is CloudFlare’s primary CA partner, saw their CRL grow to approximately 4.7MB in size from approximately 22KB on Monday. The activity of browsers downloading the Globalsign CRL generated around 40Gbps of net new traffic across the Internet. If you assume that the global average price for bandwidth is around $10/Mbps, just supporting the traffic to deliver the CRL would have added $400,000USD to Globalsign’s monthly bandwidth bill.

(Compare $400,000 to the cost of 38 million gallons of water, which, at least in Portland, falls from the sky.)

Andy Ellis of Akamai uses a nice analogy to explain why they think they needed to reissue all their customer certificates:

Imagine that Heartbleed is a vulnerability in the locks in everyone’s homes. So in your own home, a lock doesn’t really work correctly, and attackers can freely wander about your house. This vulnerability not only gives an attacker access to your valuables, it also means they can pick up your housekey. Then you realize that you always put your housekey into a safe built into the foundation, so it probably wasn’t stolen. You still fix the locks, but you think you don’t also need to change the keys.

Unfortunately, it turns out we did need to change the keys after all—just like everyone else using openssl.

Using the same analogy, I’d argue that you shouldn’t (necessarily) change the keys in your house. Imagine that one day you leave your house unlocked when you go out. A couple of hours later you return and discover your mistake, and you see that you’ve left a housekey on the kitchen counter. Someone could have walked in to your house and copied the key. Do you now re-key all of your door locks?

And continuing the analogy, suppose that you hear that people sometimes leave their doors unlocked when they leave the house. In an effort to be helpful, do you then go around your neighborhood testing everyone’s front door, and when you find that a neighbor has left their door open, do you enter their house and take pictures to show that you entered and leave them for the owners to find, so that they can fix the problem? (The answer is no because that is a good way to get arrested.)

Some have complained that Google’s Chrome browser doesn’t check for revoked certificates, leaving users vulnerable to Heartbleed effects. Adam Langley replies that revocation checking “doesn’t work and you are no more secure by switching it on.” I’m sympathetic to Adam’s view, yet it is also true that sometimes keys are compromised, and Adam’s solution essentially means that you have to go through Google to protect your users. I think that even Google doesn’t see that as ideal.

Ultimately Heartbleed has been great as an exercise in how to deal with compromised keys at Internet scale. I’d love to see a proper solution.