InsightaaS: Ars Technica is one of the web’s best-respected sources for technical insight. Founded in 1998 as a publication for “alpha geeks”, the site is a source of technology news, analysis of scientific advancements, gadget reviews, and related features. “How Heartbleed transformed HTTPS security into the stuff of absurdist theater” provides an excellent example of why the site is so well-respected: the content is thorough, and an active commenter community and comment rating system helps to identify the most pertinent observations. In this article, Ars Technica security editor Dan Goodin reports key points from a post by security expert Adam Langley and adds perspective that helps the reader to understand the difficulties involved in relying on online certificate status protocol (OCSP) as a means of coping with Heatbleed fallout.
If you want to protect yourself against the 500,000 or so HTTPS certificates that may have been compromised by the catastrophic Heartbleed bug, don’t count on the revocation mechanism built-in to your browser. It doesn’t do what its creators designed it to do, and switching it on makes you no more secure than leaving it off, one of the Internet’s most respected cryptography engineers said over the weekend.
For years, people have characterized the ineffectiveness of the online certificate status protocol (OCSP) as Exhibit A in the case that the Internet’s secure sockets layer and transport layer security (TLS) protocols are hopelessly broken. Until now, no one paid much attention. The disclosure two weeks ago of the so-called Heartbleed bug in the widely-used OpenSSL cryptography library has since transformed the critical shortcoming into a major problem, the stuff of absurdist theater. Security experts admonish administrators of all previously vulnerable websites to revoke and reissue TLS certificates, even as they warn that revocation checks in browsers do little to make end users safer and could indeed weaken the security and reliability of the Internet if they were made more effective. Certificate revocation is the process of a browser or other application performing an online lookup to confirm that a TLS certificate hasn’t been revoked. The futility of certificate revocation was most recently discussed in a blog post published Saturday by Adam Langley, an engineer who was writing on his own behalf but who also handles important cryptography and security issues at Google…
Read the entire post: http://arstechnica.com/security/2014/04/how-heartbleed-transformed-https-security-into-the-stuff-of-absurdist-theater/