I find it impossible to believe that you could find your way to my blog without knowing what the Heartbleed vulnerability is, but just in case, more information can be found here. It has been all over every sort of news. If you read news on the Internet, you HAD to have heard about it.
The CodeWatch site was vulnerable. In an effort to support TLS 1.2 and cryptographic ciphers that utilize PFS, I was on one of the latest versions of OpenSSL, 1.0.1e to be exact. Within a day after the announcement I had OpenSSL patched, and within two days or so I had re-generated my private key and had my CA reissue my certificate based on the new key, but I am just now getting around to posting about it. If you use the site for the CodeWatch web app, then you should change your password(s) just in case.
Here is a list of actions I took to remediate the vulnerability:
- Downloaded and compiled the patched version of OpenSSL (1.0.1g).
- Compiled the latest stable version of Nginx against OpenSSL 1.0.1g. This was performed externally on the web server. I also compiled several internal systems to remediate this vulnerability inside the network.
- Re-generated the web server’s private key.
- Issued a new certificate signing request using the new private key.
- Issued a new certificate using the certificate signing request with my Certificate Authority.
- Revoked the old certificate.
- Installed the new key and certificate on the web server
What a pain! The good news (I guess, kind of?) is that even if my private key had been compromised and traffic from the site intercepted, an attacker should still not be able to decrypt the data because the CodeWatch site only supports PFS ciphers and has been configured this way from the beginning.
- Apache Security
- OWASP 2010 A1
- OWASP 2010 A10
- OWASP 2010 A2
- OWASP 2010 A3
- OWASP 2010 A4
- OWASP 2010 A5
- OWASP 2010 A6
- OWASP 2010 A7
- OWASP 2010 A9
- OWASP 2013 A9
- Penetration Testing
- PHP Security
- Social Engineering
Top TagsASVS 3.1 ASVS 3.2 ASVS 3.3 ASVS 3.4 ASVS 3.5 ASVS 3.6 ASVS 3.7 ASVS 3.8 ASVS 3.9 ASVS 3.10 ASVS 3.11 ASVS 3.12 ASVS 3.13 ASVS 11.4 bcrypt Burp Suite Pro CodeWatch CryptoPP Hashcat Hyperion Java Linux Metasploit Meterpreter mimikatz msfencode msfpayload Ophcrack OWASP 2010 A1 - Injection OWASP 2010 A2 - Cross-Site Scripting (XSS) OWASP 2010 A3 - Broken Authentication and Session Management Penetration Testing Phishing PHP Powershell Python SET Shellcodeexec Social Engineering Unix Veil VirusTotal WAF Web App Pentesting Windows