In the wake of Heartbleed, make sure your browser checks for revoked certs

img_heartbleed_341x413

SECURITY

The Heartbleed bug is a serious vulnerability in the popular OpenSSL cryptographic software library.

Last Monday, Heartbleed, one of the worst security vulnerabilities in the history of the Internet was announced to the public. This isn't hyperbole - ⅔ of the Internet’s websites rely on the underlying OpenSSL libraries are at the center of the exploit. For a while, it looked like an exploit in theory, but Cloudflare announced a challenge to see if the security community was overreacting to the tin foil hat crowd. It turns out that the vulnerability can and has been exploited.

Any site using the underlying OpenSSL cryptographic software library that contained the vulnerability has been scrambling over the past week to update systems. It has been great to see the rapid and broad-based response, but updating and patching systems is only the initial step to dealing with the issue. The patch stops attackers from continuing to steal sensitive information like private keys and passwords, but it doesn’t help if your data has been exposed. Users should change passwords as soon as sites patch. CNET is tracking the status of the Alexa Top 100 here.

It isn’t just user passwords at risk. Website private keys for certificates were exposed as well, and any site that was vulnerable should revoke any certificate associated with the site. Stolen certificates could be a bigger vulnerability than user credentials because - armed with the certificate - an exploiter has most of what they’d need to affect a Man-in-the-Middle attack, impacting everyone.

In order for revocation to work, the browser needs to check if the certificate has been revoked. Certificate Authorities (CAs) make this relatively simple, and most traditional browsers integrate a check. Safari and Internet Explorer will issue warnings when attempting to visit a site with a revoked certificate. Firefox will outright block you. But Chrome doesn't check for updated revoked certificate lists by default. While that is great for speed, it's not the most secure implementation.

What is hardly mentioned are mobile browsers. Safari on iOS does not honor certificate revocation lists.  Even worse, there is no setting to allow it to do so.

Since the Silo browser runs in the cloud, any device users connect with benefits from our centralized security, which includes a check for revoked certificates - including Silo on iPad - without users having to do anything.

Silo will actively block you from visiting sites using revoked certificates, which helps you avoid fallout from the Heartbleed bug. Whether coming in from your Windows XP machine or your iPad, Silo users have a secure and unified browsing experience across all devices.

If you have any questions, you can leave a comment below or reach us directly at [email protected].