Join the revolution - StartCom Linux  
Join the revolution - StartCom Linux

Official StartCom Public User Forum

 FAQ FAQ   View the advanced search options Advanced search   Members Members   Groups Groups  Register Register 
 User Control Panel User Control Panel       Login Login 
 


Post new topic Reply to topic  [ 15 posts ] 
Author Message
 Post subject: OpenSSL CVE-2014-0160 (aka "Heartbleed")
PostPosted: Tue Apr 08, 2014 7:48 pm 
Offline

Joined: Tue Oct 08, 2013 2:46 pm
Posts: 6
Location: DE
Ok - seems all StartCOM customers have to pay for revocations to be able to generate new private keys (after patching the affected servers) which means generating new certificates as well.

Well - it's sad, but if there is no other way I would even pay to get my existing Class 2 certificates renewed - yes, I have a number of them - so this will not be cheap :-(.

But before I really go this way and spend a lot of money for bugs I am not responsible for:

How long will it take to get the revocation request processed?

The situation is this: I have a number of users on my mail- and webservers and I can't tell them that the servers will not be available for a couple of days until the old certificates got revoked and new ones got created.


Top
 Profile E-mail  
 
 Post subject: Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")
PostPosted: Tue Apr 08, 2014 8:38 pm 
Offline

Joined: Tue Apr 08, 2014 8:23 pm
Posts: 9
Yes this does seem a bit silly doesn't it.
Fendamentally no administrator could expect/know how to do this.

If you, don't patch your system, then it looks bad on the administrator.

If you patch your system but then don't try to replace private keys, this is 'head in the sand'.
Theres' every reason to think that your key *may* have been compromised, but little way to tell, so not clear how to comply with startcom's terms.

What is more worrying is the head-in-the-sand approparch to this, startcom could be pro-active in at least allowing us to one-off re-issue certificates (maybe, also revoking them in CRLs after a bit, for what good that does anyway) -- for those of us who want to ''do the right thing'' and at least change the private key.

As it is, it just looks like they just want to collect money off of the unfortunate situation, and do not care to help with security // encouraging others to similarly put head-in-the-sand ? -- a bit of a worrying attitude?


Top
 Profile E-mail  
 
 Post subject: Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")
PostPosted: Wed Apr 09, 2014 2:40 pm 
Offline

Joined: Wed Apr 09, 2014 2:35 pm
Posts: 2
Customers of CAs like GlobalSign or Thawte can revoke their certificates and generate new ones free of charge. Isn't anything similar planned by StartCOM?


Top
 Profile E-mail  
 
 Post subject: Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")
PostPosted: Wed Apr 09, 2014 6:43 pm 
Offline

Joined: Wed Apr 09, 2014 6:40 pm
Posts: 2
Well - revoking certificates and once done - moving to a more trustable CA is the thing one can do.


Top
 Profile E-mail  
 
 Post subject: Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")
PostPosted: Wed Apr 09, 2014 8:24 pm 
Offline

Joined: Tue Oct 08, 2013 2:46 pm
Posts: 6
Location: DE
Well - according to the news on heise.de and especially THIS conversation, it seems, StartCOM is not really willing to help customers replacing their potentially compromised certificates.

In short: "Pay for it or let it be - it's not our fault, that there are bugs in OpenSSL" :-(

Ok - in a way I can understand the situation. But the procedure would be still not acceptable:

1) An existing certificate has to be revoked FIRST - and from then on existing services will NOT be useable any longer since many clients would not accept the certificate any longer.

2) Then AFTER the recovation a new certificate can be generated (with a new private key of course) - but there is no information at all, how long it takes until this is possible after revocation.

To be honest: This is ridiculous!

I would accept to pay for additional work which is neccessary by StartCOM. But is is just not acceptable to take services offline for an incalculable time. Is it less than an hour, some hours, a day or even more?

So again: How long is the time window, I have to take into account to revoke existing certificates and generate new ones - assuming I have all CSRs based on new private keys ready?


Top
 Profile E-mail  
 
 Post subject: Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")
PostPosted: Wed Apr 09, 2014 10:25 pm 
Offline

Joined: Wed Apr 09, 2014 10:18 pm
Posts: 1
phobos wrote:
Well - revoking certificates and once done - moving to a more trustable CA is the thing one can do.



What does trust has to do with billing? Just because they may charge you for something that a software caused you did choose to use on you own? That's the risk when using free software (for which in turn you don't have to pay!).

BTW:

My certificate got revoked for free and i got the following mail: "Exceptionally revoked without fee".

So, thank you StartCom!

kind regards

Jan


Top
 Profile E-mail  
 
 Post subject: Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")
PostPosted: Thu Apr 10, 2014 12:24 am 
Offline

Joined: Tue Apr 08, 2014 8:23 pm
Posts: 9
I've similarly requested revocation for all affected certificate-key pairs, similarly we will see =).


Top
 Profile E-mail  
 
 Post subject: Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")
PostPosted: Thu Apr 10, 2014 12:29 pm 
Offline

Joined: Tue Oct 08, 2013 2:46 pm
Posts: 6
Location: DE
To avoid further trouble, I generated a new certificate for a specific domain name - because revoking the existing wildcard certificate without having a new one first and without knowing how long this would take, it just unacceptable.


Top
 Profile E-mail  
 
 Post subject: Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")
PostPosted: Thu Apr 10, 2014 2:54 pm 
Offline

Joined: Tue Oct 08, 2013 2:46 pm
Posts: 6
Location: DE
Ok - some updates:

1) My first revocation took about 5 hours and StartSSL was so kind not to charge anything for that. Thank you!

2) After that I could request a new certificate with my CSR based on a new private key which I prepared earlier locally - and it got issued immediately.

So I will just do the same procedure for the remaining certificates.


Top
 Profile E-mail  
 
 Post subject: Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")
PostPosted: Thu Apr 10, 2014 3:22 pm 
Offline

Joined: Wed Apr 09, 2014 2:35 pm
Posts: 2
Hi Arno, wasn't it necessary to re-validate your organization and identity?


Top
 Profile E-mail  
 
 Post subject: Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")
PostPosted: Thu Apr 10, 2014 4:57 pm 
Offline

Joined: Thu Apr 10, 2014 2:01 pm
Posts: 2
Location: DE
arnowelzel wrote:
1) My first revocation took about 5 hours and StartSSL was so kind not to charge anything for that. Thank you!

which kind of certificate / validation do you talk about (Class 2 / Class 3 / EV ?)
(I think for EV it is "normal", that they take no fees for revocation)


Top
 Profile E-mail  
 
 Post subject: Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")
PostPosted: Thu Apr 10, 2014 5:19 pm 
Offline

Joined: Tue Oct 08, 2013 2:46 pm
Posts: 6
Location: DE
The certificate was a Class 2 (no EV).

And no - I did not have to validate my Identity again, since only the keys for the certificates had to be revoked - not my personal key which never got compromised.

By the way: The other two revocations got processed really fast - but the certificates did not get revoked for free - at least I got a confirmation telling me, that so i had to pay about 50 USD for the revocation of two Class 2 certificates.

But on the other hand - it's still WAY cheaper than getting three wildcard certificates anywhere else, so no worries here.

BTW: I'm not sure if StartCOM is aware of that - but there is a bug report asking for removal of StartSSL from the trusted CAs in Debian because of the charge for revocations, see https://bugs.debian.org/cgi-bin/bugrepo ... bug=744027


Top
 Profile E-mail  
 
 Post subject: Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")
PostPosted: Thu Apr 10, 2014 5:35 pm 
Offline

Joined: Thu Apr 10, 2014 2:01 pm
Posts: 2
Location: DE
arnowelzel wrote:

I think, this will never happen,
neither in Debian nor in Mozilla ( https://bugzilla.mozilla.org/show_bug.cgi?id=994478 ) ...

(why blaming a CA, why not blaming the openSSL makers (for THEIR bug) ? -> cause it's much more easier :wink: )


Top
 Profile E-mail  
 
 Post subject: Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")
PostPosted: Fri Apr 11, 2014 10:14 am 
Offline

Joined: Fri Apr 11, 2014 9:48 am
Posts: 1
Location: NZ
Why wouldn't it? It's irresponsible on the part of the provider, CA's are in a trusted position and if you can not trust a CA to act in the best interest of the wider community then what place is there for them in the trusted CA list?

Not to mention that in the wake of the Debian Weak Keys issue (http://www.debian.org/security/2008/dsa-1571) they stated that they were revoking certificates of their own accord (i.e. without the customers interaction) after a few weeks.

StartSSL FAQ #74 wrote:
74.) What is a weak key and why do I have to create a new certificate?

All private keys and the resulting certificates which were created on a Debian based operating system - including Ubuntu, are compromised due to a bug since September 2006. Web sites which rely on a private key created by the affected systems are highly vulnerable and should be replaced immediately.

If you received an email from StartCom warning you about being affected, please request revocation from within the StartSSL Control Panel -> "Tool Box" -> "Revocation Request" and create a new certificate. Certificates which were signed by our old CA root should be revoked from here.
Don't use a Debian system without having it updated - which includes those of hosting providers using cPanel and Plesk. You can create your private key by the StartSSL Certificates Wizard (more information).

StartCom will eventually revoke all affected certificates after a short week period after sending the warning mail.

Empahsis is mine - source: http://www.startssl.com/?app=25#74

I don't see how this is any different - well aside from being a hell of a lot worse and widespread - it's purely an attempt at making a quick buckdue to the large scale of this issue as far as I'm conserned.

As it so happens, I suspect it's also somewhat contary to the Mozilla requirements listed here in section 2:
https://www.mozilla.org/en-US/about/gov ... intenance/

Mozilla Certificate Policy wrote:
2 CAs must revoke Certificates that they have issued upon the occurrence of any of the following events:
[...]
- the CA obtains reasonable evidence that the subscriber’s private key (corresponding to the public key in the certificate) has been compromised or is suspected of compromise (e.g. Debian weak keys), or that the certificate has otherwise been misused;
[...]


I would be surprised if other folks like Debian did not have a clause like this. (Edit: As it happens, Debian just uses Mozilla's anyway)
Every other CA I've had to deal with this week has either not charged (e.g. if they said they could in the terms of service) or been free anyway as part of the service.

Revoke for free, fee for reissue seems more sane to me. Personally, I moved my paid for services to another provider.


Top
 Profile E-mail  
 
 Post subject: Re: OpenSSL CVE-2014-0160 (aka "Heartbleed")
PostPosted: Tue Apr 15, 2014 10:45 am 
Offline

Joined: Tue Apr 08, 2014 8:23 pm
Posts: 9
Well, Startcom finally produced a statement:-
https://www.startssl.com/?app=43
Supposedly they claim the size or CRLs being downloaded witl be costly....
How believable is this? Does OCSP really solve this problem, anyway?


Top
 Profile E-mail  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 15 posts ] 

All times are UTC + 2 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron