"Even 11 is an understatement. Remember the servers involved have potentially been leaking their private key for their certificate! This means anyone can 'fake' being them.
It is not enough to do new certificates. All of the old certificates could now be used for man in the middle attacks! 2/3rds of the Internets certificates potentially need to be blacklisted! This is a MAJOR disaster.
It is unfeasible to blacklist such a large amount of certificates - as every device requires a list of all blacklisted certificates. This means all of the major CA's are going to have to black list their intermediate certificate authorities, and start issuing all new certificates under new CA's. This means even people who weren't effected will probably have to have their certificates blacklisted.
In short EVERY existing CA used on the internet may have to be black listed, and every single SSL certificate re-issued.
IMO SSL/TLS is now completely broken. The number of potential certificates that have been exploited and that could now be used for man in the middle attacks could be in the millions..... the list of black listed certificates will be in the millions and/or the number of blacklisted sub certficate authorities is probably going to be 10,000+. Vendors already hate just including one or two items on the blacklist, let alone this number of items.... "
It's not actually 2 thirds of the Internet, but it can be that the effects can be really bigger than most people imagine on the moment. Either the massive blacklisting or ignoring the period of potential exposure.
Hopefully all this can result in the push to change some of the principles of certificate verification. And maybe a different approach to OpenSSL development.
http://arstechnica.com/security/2014/04/critical-crypto-bug-...
"Even 11 is an understatement. Remember the servers involved have potentially been leaking their private key for their certificate! This means anyone can 'fake' being them.
It is not enough to do new certificates. All of the old certificates could now be used for man in the middle attacks! 2/3rds of the Internets certificates potentially need to be blacklisted! This is a MAJOR disaster.
It is unfeasible to blacklist such a large amount of certificates - as every device requires a list of all blacklisted certificates. This means all of the major CA's are going to have to black list their intermediate certificate authorities, and start issuing all new certificates under new CA's. This means even people who weren't effected will probably have to have their certificates blacklisted.
In short EVERY existing CA used on the internet may have to be black listed, and every single SSL certificate re-issued.
IMO SSL/TLS is now completely broken. The number of potential certificates that have been exploited and that could now be used for man in the middle attacks could be in the millions..... the list of black listed certificates will be in the millions and/or the number of blacklisted sub certficate authorities is probably going to be 10,000+. Vendors already hate just including one or two items on the blacklist, let alone this number of items.... "
It's not actually 2 thirds of the Internet, but it can be that the effects can be really bigger than most people imagine on the moment. Either the massive blacklisting or ignoring the period of potential exposure.
Hopefully all this can result in the push to change some of the principles of certificate verification. And maybe a different approach to OpenSSL development.