OpenSSL Exploit Remediation: New Self-Signed Certificate Installed

Discussion in 'Forum Related Discussions' started by LowWaterMark, Apr 8, 2014.

Thread Status:
Not open for further replies.
  1. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    This is in response to the Heartbleed: Serious OpenSSL zero day vulnerability:

    I have upgraded OpenSSL on the server so that it is no longer vulnerable to this exploit.

    Also, because no server that ran a vulnerable version for any amount of time can be sure their certificate was not compromised, I have just generated a new self-signed certificate. (It was created and installed after the new OpenSSL version was installed.)

    As usual, you will need to accept the certificate and save it if you do not want the warning about self-signing.

    See previous threads about our position on certificate usage here on the forum:

    https://www.wilderssecurity.com/posts/2349462/
    https://www.wilderssecurity.com/threads/343834/

    New fingerprints for this certificate will follow
    SHA-1: EC A1 03 4F 71 A6 0B F8 BD D3 4A DE E4 93 D1 D7 28 EC 84 3F
    SHA-256: 5F 46 37 09 A8 8C 86 22 FB 0C 41 73 18 AA 3F 8A 7C AF E0 04 18 58 2E C3 1D 6E D9 72 CE 04 5C 70

    Image of fingerprints
    self-signed-cert-2014b.png
     
    Last edited: Apr 9, 2014
    LowWaterMark, Apr 8, 2014
    #1
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Yeah just got an alert from FF before i could get here. I wondered what it could be, now i know. Good move.
     
    CloneRanger, Apr 8, 2014
    #2
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    I guess it'd be wise to uninstall any/all previous ones ?
     
    CloneRanger, Apr 8, 2014
    #3
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    If you mean removing old "accepted" certifcates from here from the store in your browsers, sure, always a good idea.
     
    LowWaterMark, Apr 8, 2014
    #4
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ LWM

    Yes exactly that, & i've just done it. Whilst there i noticed this

    not.png

    Why is that, as when FF prompted me i chose to Perm store it ?
     
    CloneRanger, Apr 8, 2014
    #5
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,883
    Location:
    Slovenia, EU
    OK, that explains why there was warning from Chrome when coming to his site. Will replace cert... Thank for info.

    hqsec
     
    Minimalist, Apr 9, 2014
    #6
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,883
    Location:
    Slovenia, EU
    One more question: there is no need to change password?

    hqsec
     
    Minimalist, Apr 9, 2014
    #7
  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    Ah, well... that all depends upon whether you think this particular site was targetted by someone who knew about this before it became common knowledge. And, if that said "someone" decided to try to scan memory here for login credentials, if they got access.

    For myself, since my password really matters most when it comes to operating this site... as soon as I upgraded openssl and installed the new cert, I had to change my password.

    You know, it's only a single password after all, so, wouldn't you feel better off if you changed it - just in case?
     
    LowWaterMark, Apr 9, 2014
    #8
  9. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    And in addition to the above, I don't think that many users here use the SSL site, and thus their password is already sent un-encrypted ;) (but I could be wrong)
     
    iammike, Apr 9, 2014
    #9
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,883
    Location:
    Slovenia, EU
    OK, thanks LWM. Will change it - just in case :cautious:

    hqsec
     
    Minimalist, Apr 9, 2014
    #10
  11. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Great job (again) LWM :thumb:
     
    SweX, Apr 9, 2014
    #11
  12. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    LVM - thorough response. Nice!!

    As soon as I noticed Wilder's updated I immediately changed my password. Until then, changing it would have been pretty much a waste of time.
     
    Palancar, Apr 9, 2014
    #12
  13. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,290
    Location:
    EU
    How to save/import the new certificate?
     
    dogbite, Jul 4, 2014
    #13
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,883
    Location:
    Slovenia, EU
    I usually visit this site (https) with elevated IE. Click on site information and use option install certificate (or something similar). I install it in Trusted Root Certification Authorities.
     
    Minimalist, Jul 4, 2014
    #14
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Why? Is their some danger in using the HTTP site?


    ----
    rich
     
    Rmus, Jul 4, 2014
    #15
  16. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,883
    Location:
    Slovenia, EU
    No that I know of (except usual MITM attacks). But AFAIK if you want to install their certificate, you have to visit https site.
     
    Minimalist, Jul 4, 2014
    #16
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...