The Latest in IT Security

Akamai Reissuing SSL Keys After Flaw Found in Heartbleed Mitigation


Akamai Technologies admitted custom code thought to protect against the Heartbleed vulnerability has a flaw of its own and has forced the company to reissue SSL certificates and keys to its customers.

Last week, Akamai Technologies Chief Security Officer Andy Ellis blogged that while the company had been exposed to the vulnerability, its custom memory allocator protected against nearly every circumstance by which Heartbleed could have leaked SSL keys. However, recent findings by an independent security researcher forced the company to backtrack.

“Over the weekend, an independent security researchercontacted Akamaiabout some defects in the software we use for memory allocation around SSL keys,”blogged Ellis. “Wediscussed Fridayhow we believed this had provided our SSL keys with protection against Heartbleed and hadcontributed the codeback to the community. The code that we had contributed back was, as we noted, not a full patch, but would be a starting point for improving the openssl codebase.”

“In short: we had a bug,” Ellis added. “An RSA key has 6 critical values; our code would only attempt to protect 3 parts of the secret key, but does not protect 3 others. Inparticular, we only try to protect d, p, and q, but not d mod (p-1), d mod (q-1), or q^{-1} mod p. These intermediate extra values (the Chinese Remainder Theorem, or CRT, values) are calculated at key-generation time as a performance improvement. As the CRT values were not stored in the secure memory area, the possibility exists that these critical values for the SSL keys could have been exposed to an adversary exploiting the Heartbleed vulnerability. Given any CRT value, it is possible to calculate all 6 critical values.”

The issue was foundin Akamai’s code by security researcher Willem Pinckaers.As a result of the finding, the company is rotating all customer SSL keys/certificates. Some of these certificates will quickly rotate, while others will require extra validation with the certificate authorities and may take longer.

Since the bug’s public disclosure last week,researchers have confirmedthat the vulnerability does allow attackers to steal a Web server’s private SSL keys. While it remains unclear how extensively the two-year old bug has been exploited, authorities in Canada said Monday that as many as 900 Canadian taxpayers had their data stolen due to a Heartbleed attack.

“This is indeed one of the worst vulnerabilities in the history of the web,” said Amit Sethi, technical manager at Cigital. “It has been present in OpenSSL for over two years, during which time it has made it into a lot of software. Unlike many other vulnerabilities in SSL implementations that we have heard about in recent years, this one does not require the attacker to be positioned between your computer and the server. The attacker can go directly to the server and get any information that you recently exchanged with it over a secure channel.”

According to Symantec, none of the websites in Alexa’s top 1,000 websites is currently vulnerable. Within the Alexa top 5,000, only 24 siteswere vulnerable asof April 12. Within the top 50,000, only 1.8 percent of the sites are susceptible to Heartbleed.

“On the positive side, high-profile websites have been addressing the issue very quickly either by fixing it or by taking down their applications while they create a mitigation plan,” Sethi said. “On the negative side, we may never know the full extent of the information that might have been stolen. We will likely see various attacks that use the stolen information in the days and weeks to come.”


Brian Prince is a Contributing Writer for SecurityWeek.Previous Columns by Brian Prince:Akamai Reissuing SSL Keys After Flaw Found in Heartbleed Mitigation Google Boosts Android Security ProtectionMore Than Half of Enterprise Employees Receive No Security Training: Survey FindsOrbit Open Ad Server Security Hole ClosedMcAfee Outlines Strategy for Securing Internet of Things

sponsored links



Comments are closed.


TUESDAY, MAY 18, 2021

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments