Heartbleed and Extended Validation Assignment - Hsanokklis/2023-2024-Tech-journal GitHub Wiki
Heartbleed
In 2014, a vulnerability was discovered in the OpenSSL cryptographic software library, known as the Heartbleed bug. The Heartbleed bug allowed malicious actors to trick vulnerable servers to send sensitive information from the memory of systems using vulnerable versions of OpenSSL. The bug allowed attackers to send a specifically crafted heartbeat request to a vulnerable server, causing it to respond with more data from its memory than it should, and potentially leaking sensitive information. Specifically, the bug utilized the heartbeat function that computers use to communicate to make sure they are still connected with each other. The heartbeat request includes information about its own length, but the OpenSSL library didn’t check to make sure the length was correct. The receiving server allocates a memory buffer that is the size of the heartbeat request, but the issue was that the server never checked to make sure the request length was actually the size that it claimed to be. If a request said it was 40 KB but was actually 20 KB, the server would send back the 20 KB plus whatever the next 20 KB of data in the server was. This means that attackers could send heartbeat requests and gain information from this vulnerability. The impact of this bug was that 17% of the internet secure web servers were vulnerable to attack, which allowed attackers to gain servers private keys, user session cookies, and passwords and more sensitive information.
Extended Validation Certificate
An Extended Validation (EV) Certificate is a TLS/SSL certificate that indicates that the certificate holder has gone through the most extensive level of vetting and identity background checks to certify that their website is legitimate. The difference between an EV cert and a Domain Validation (DV) certificate is that in order to get a DV all the buyer must do is demonstrate that they control the domain. Thus EV certs are generally more reliable than DV certs. There criteria for acquiring an EV certificate is as follows: Be a legally registered company, verify physical company operating location, verify that the company has been in operation for at least 3 years, verify that the company has control over the domain and a phone call authentication. There are few ways that users can identify if a certificate is an EV or not. In older browsers, you might see the company name next to the lock in the upper left corner of the search bar, along with the company name. I found when searching in my chrome browser that this seems to no longer work, at least in the more updated browsers. You can check the OID (object identifier) associated with the Certificate under “Certificate policies”. Normally the OID for an EV certification is 2.23.140.1.1. Below you can see a certificate for Chase bank that has that same OID!
Links used: https://www.digicert.com/faq/public-trust-and-certificates/what-is-an-extended-validation-ev-ssl-certificate