4

Situation 1 (safe):

  • Website was vulnerable to heartbleed and using a certificate not valid before 2012-10-21
  • Website upgraded to an unvulnerable version of OpenSSL
  • Website re-keyed and got a their certificate reissued, with with same not-valid-before date of 2012-10-21
  • Today, when I inspect the site, I find it not vulnerable to heartbleed, and using a certificate with a not-valid-before date of 2012-10-21

Situation 2 (unsafe):

  • Website was vulnerable to heartbleed and using a certificate not valid before 2012-10-21
  • Website upgraded to an unvulnerable version of OpenSSL
  • Today, when I inspect the site, I find it not vulnerable to heartbleed, and using a certificate with a not-valid-before date of 2012-10-21

As far as I understand things, these two situations are indistinguishable to me as an end user who has never visited the website in question before. What am I missing?

FYI, situation 1 is apparently the case for *.wikipedia.org. They said that's just the way Digicert reissues certificates.

2 Answers2

0

You can search for the Certificate Authority's CRL (i.e. http://www.verisign.com/repository/crl.html from VeriSign) and see if they have recently revoked an the old certificate but to do that you will generally need the old certificate's serial number. You could also, if you had the old serial number, just compare it to the new one.

The problem is that there isn't much you can really do to see if it is a different certificate than before without the old certificate serial number.

UKB
  • 51
0

Zmap.io have a list of changes to certificates for the top 5,000 most popular sites. Note that the date listed there does not rely on the Not Valid Before date of the certificate itself and therefore should represent an accurate date for when the certificate was last changed. (I used Wikipedia.org to check this as they get their certificates from DigiCert who backdate the Not Valid Before date when re-keying certificates.)

They link to the raw data they used which presumably covers a lot more than just the top 5,000 sites but at the time I am writing this, the site is not responding.

Another project that collects certificate fingerprints is Convergence. I haven't explored yet to see if you can extract fingerprints and dates out of it but if you were using it before HeartBleed, it would probably warn you when a site's certificate changed (unless a majority of other people using it had already accepted the new certificate for that site). Ironically, no warning in this situation would be an indication that you were not safe and a warning would be an indication that you were safe.

Ladadadada
  • 184