While security vendors weigh their product ranges for vulnerability to the recently discovered 'Heartbleed' bug, Symantec's massive digital certificate infrastructure remains secure – but the company is advising customers to update the vulnerable OpenSSL code and then regenerate their public key infrastructure (PKI) private keys, according to its Melbourne-based senior principal systems engineer Nick Savvides.
The high-profile bug had generated a flood of calls to the company's Melbourne customer support centre – one of four facilities in the world to handle both customer validation and the generation of new public keys within its VeriSign infrastructure – but Symantec was providing free certificate renewal services for customers who were generally being encouraged to use self-service control panels to reissue their private keys.
“It's a big problem because it drives so many Web servers, but it's not that certificates and PKI are broken,” Savvides told CSO Australia.
“The fundamental technology is still sound and the way it operates is still sound. The chain of trust is intact. It's just this implementation, which is a very serious issue that needs to be addressed by IT operations teams.”
Certificate authorities around the world have been quick to act in the wake of the discovery of Heartbleed, which potentially exposed millions of private encryption keys to snooping interlopers and has many questioning whether the Web's Secure Sockets Layer (SSL) encryption is still secure enough to be widely used and all manner of superlatives being used to describe the magnitude of the threat.
Rival CA Comodo has already reissued tens of thousands of certificates, with replacement requests running at 10 to 12 times the usual pace as hackers reportedly prepare their efforts to capitalise upon the bug. Entrust, another CA, is also offering free replacement certificates.
Savvides cautioned customers – who need to work through a process to quickly reduce their exposure – to make sure they had identified and patched all systems with the OpenSSL vulnerability before renewing the certificates.
There was no indication yet as to how many of those private keys had been regenerated, but Savvides believes a year from now it will be much easier to tell: “there are tools that let you scan the Web and determine the expiry date of certificates,” he said.
“I have a good feeling that, 12 months from now, one-third of the world's SSL certificates will come up for expiry within the same three-day period because they're all being renewed now.”
Symantec has offered running guidance for customers as it explores the depth of its products' Heartbleed exposure.
This article is brought to you by Enex TestLab, content directors for CSO Australia.