OpenSSL Exploit Remediation: New Self-Signed Certificate Installed

Discussion in 'General Topics' started by LowWaterMark, Apr 8, 2014.

Thread Status:
Not open for further replies.
  1. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    This is in response to the Heartbleed: Serious OpenSSL zero day vulnerability:

    I have upgraded OpenSSL on the server so that it is no longer vulnerable to this exploit.

    Also, because no server that ran a vulnerable version for any amount of time can be sure their certificate was not compromised, I have just generated a new self-signed certificate. (It was created and installed after the new OpenSSL version was installed.)

    As usual, you will need to accept the certificate and save it if you do not want the warning about self-signing.

    See previous threads about our position on certificate usage here on the forum:

    https://www.wilderssecurity.com/posts/2349462/
    https://www.wilderssecurity.com/threads/343834/

    New fingerprints for this certificate will follow
    SHA-1: EC A1 03 4F 71 A6 0B F8 BD D3 4A DE E4 93 D1 D7 28 EC 84 3F
    SHA-256: 5F 46 37 09 A8 8C 86 22 FB 0C 41 73 18 AA 3F 8A 7C AF E0 04 18 58 2E C3 1D 6E D9 72 CE 04 5C 70

    Image of fingerprints
    self-signed-cert-2014b.png
     
    Last edited: Apr 9, 2014
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Yeah just got an alert from FF before i could get here. I wondered what it could be, now i know. Good move.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I guess it'd be wise to uninstall any/all previous ones ?
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    If you mean removing old "accepted" certifcates from here from the store in your browsers, sure, always a good idea.
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ LWM

    Yes exactly that, & i've just done it. Whilst there i noticed this

    not.png

    Why is that, as when FF prompted me i chose to Perm store it ?
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,045
    OK, that explains why there was warning from Chrome when coming to his site. Will replace cert... Thank for info.

    hqsec
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,045
    One more question: there is no need to change password?

    hqsec
     
  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Ah, well... that all depends upon whether you think this particular site was targetted by someone who knew about this before it became common knowledge. And, if that said "someone" decided to try to scan memory here for login credentials, if they got access.

    For myself, since my password really matters most when it comes to operating this site... as soon as I upgraded openssl and installed the new cert, I had to change my password.

    You know, it's only a single password after all, so, wouldn't you feel better off if you changed it - just in case?
     
  9. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    276
    Location:
    SE Asia
    And in addition to the above, I don't think that many users here use the SSL site, and thus their password is already sent un-encrypted ;) (but I could be wrong)
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,045
    OK, thanks LWM. Will change it - just in case :cautious:

    hqsec
     
  11. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Great job (again) LWM :thumb:
     
  12. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    LVM - thorough response. Nice!!

    As soon as I noticed Wilder's updated I immediately changed my password. Until then, changing it would have been pretty much a waste of time.
     
  13. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    How to save/import the new certificate?
     
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,045
    I usually visit this site (https) with elevated IE. Click on site information and use option install certificate (or something similar). I install it in Trusted Root Certification Authorities.
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Why? Is their some danger in using the HTTP site?


    ----
    rich
     
  16. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,045
    No that I know of (except usual MITM attacks). But AFAIK if you want to install their certificate, you have to visit https site.
     
Loading...
Thread Status:
Not open for further replies.