Pragmatic reactions to a possible SSL private key compromise
In light of the fact that the OpenSSL 'heartbleed' issue may have resulted in someone getting a copy of your private keys, there are least three possible reactions that people and organizations can take:
- Do an explicit certificate revocation through your SSL CA and get
a new certificate, paying whatever extra certificate revocation
cost the CA requires for this (some do it for free, some normally
- Simply get new SSL certificates from whatever certificate vendor
you prefer or can deal with and switch to them. Don't bother to
explicitly revoke your old keys.
- Don't revoke or replace SSL keys at all, based on an assessment that the actual risk that your keys were compromised is very low.
These are listed in declining order of theoretical goodness and also possibly declining order of cost.
Obviously the completely cautious approach is to assume that your private keys have been compromised and also that you should explicitly revoke them so that people might be protected from an attacker trying man in the middle attacks with your old certificates and private keys (if revocation actually works this time). The pragmatic issue is that this course of action probably costs the most money (if it doesn't, well, then there's no problem). If your organization has a lot riding on the security of your SSL certificates (in terms of money or other things) then this extra expense is easy to justify, and in many places the actual cost is small or trivial compared to other budget items.
But, as they say. There are places where this is not so true, where the extra cost of certificate revocations will to some degree hurt or require a fight to get. Given that certificate revocation may not actually do much in practice, there is a real question of whether you're actually getting anything worthwhile for your money (especially since you're probably doing this as merely a precaution against potential key compromise). If certificate revocation is an almost certainly pointless expense that's going to hurt, the pragmatics push people away from paying for it and towards one of the other two alternatives.
(If you want more depressing reading on browser revocation checking, see Adam Langley (via).)
Getting new certificates is the intermediate caution option (especially if you believe that certificate revocation is ineffective in practice), since it closes off future risks that you can actually do something about yourself. But it still probably costs you some money (how much money depends on how many certificates you have or need).
Doing nothing with your SSL keys is the cheapest and easiest approach and is therefor very attractive for people on a budget, and there are a number of arguments towards a low risk assessment (or at least away from a high one). People will say that this position is obviously stupid, which is itself obviously stupid; all security is a question of risk versus cost and thus requires an assessment of both risk and cost. If people feel that the pragmatic risk is low (and at this point we do not have evidence that it isn't for a random SSL site) or cannot convince decision makers that it is not low and the cost is perceived as high, well, there you go. Regardless of what you think, the resulting decision is rational.
(Note that there is at least one Certificate Authority that offers SSL certificates for free but normally charges a not insignificant cost for revoking and reissuing certificates, which can swing the various costs involved. When certificates are free it's easy to wind up with a lot of them to either revoke or replace.)
In fact, as a late-breaking update as I write this, Neel Mehta
(the person who found the bug) has said that private key exposure
although of course unlikely is nowhere near the same thing as
'impossible'. See also Thomas Ptacek's followup comment.
Update: But see Tomas Rzepka's success report on FreeBSD for bad news.
Update April 12: It's now clear from the results of the CloudFlare challenge and other testing by people that SSL private keys can definitely be extracted from servers that are vulnerable to Heartbleed.
My prediction is that pragmatics are going to push quite a lot of people towards at least the second option and probably the third. Sure, if revoking and reissuing certificates is free a lot of people will take advantage of it (assuming that the message reaches them, which I would not count on), but if it costs money there will be a lot of pragmatic pressure towards cheap options.
(Remember the real purpose of SSL certificates.)
Sidebar: Paths to high cost perceptions
Some people are busy saying that the cost of new SSL certificates is low (or sometimes free), so why not get new ones? There are at least three answers:
- The use of SSL is for a hobby thing or personal project and the
person involved doesn't feel like spending any more money on it
than they already have or are.
- There are a significant number of SSL certificates involved, for
example for semi-internal hosts, and there's no clear justification
for replacing only a few of their keys (except 'to save money',
and if that's the justification you save even more money by not
replacing any of them).
- The people who must authorize the money will be called on to defend the expense in front of higher powers or to prioritize it against other costs in a fixed budget or both.
These answers can combine with each other.