Hi all, A serious vulnerability in OpenSSL 1.0.1-1.0.1f was announced today, which allows a connected client or server to read up to 64kb of memory at a time. This can be exploited repeatedly to leak arbitrary amounts of key material, including private SSL keys and Tor Hidden Service private keys. (You can read more about the impact on Tor via this blog post: https://blog.torproject.org/blog/openssl-bug-cve-2014-0160.)
Here's how this bug affects HTTPS Everywhere, to the best of my understanding: * The EFF server that hosted HTTPS Everywhere downloads was running an affected version of OpenSSL. In theory, this means that an attacker could have exploited the vulnerability to get a copy of our private SSL key. Note that this also applies to a large fraction of the servers on the Internet. In our case, the potential damage is mitigated by the fact that our servers supported ciphersuites with forward secrecy (such that future compromise of our SSL private key can't be used to decrypt past communications). * However, even if EFF's private SSL keys have been compromised, updates to Firefox and Chrome HTTPS Everywhere are still safe (assuming you downloaded a safe copy of HTTPS Everywhere to begin with). This is because we sign all updates with an offline key, and Firefox/Chrome rejects updates unless they have a valid signature. To check that you have a "good" copy of HTTPS Everywhere (one with the correct update signing keys), you can do the following: # Firefox: 1. Go to your Firefox profile directory: https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data#w_how-do-i-find-my-profile. 2. From there, go into ./extensions/[email protected]/ 3. Open up install.rdf. You should see the following line: <em:updateKey>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MR8W/galdxnpGqBsYbqOzQb2eyW15YFjDDEMI0ZOzt8f504obNs920lDnpPD2/KqgsfjOgw2K7xWDJIj/18xUvWPk3LDkrnokNiRkA3KOx3W6fHycKL+zID7zy+xZYBuh2fLyQtWV1VGQ45iNRp9+Zo7rH86cdfgkdnWTlNSHyTLW9NbXvyv/E12bppPcEvgCTAQXgnDVJ0/sqmeiijn9tTFh03aM+R2V/21h8aTraAS24qiPCz6gkmYGC8yr6mglcnNoYbsLNYZ69zF1XHcXPduCPdPdfLlzVlKK1/U7hkA28eG3BIAMh6uJYBRJTpiGgaGdPd7YekUB8S6cy+CQIDAQAB</em:updateKey> # Chrome: 1. Go to your Chrome/Chromium profile directory: http://www.chromium.org/user-experience/user-data-directory 2. From there, go into ./Extensions/gcbommkclmclpchllfjekcdonpmejbdp/ADDON_VERSION, where ADDON_VERSION should be something like 2014.1.3_0. 3. Open up manifest.json. You should see the following value for "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MR8W/galdxnpGqBsYbqOzQb2eyW15YFjDDEMI0ZOzt8f504obNs920lDnpPD2/KqgsfjOgw2K7xWDJIj/18xUvWPk3LDkrnokNiRkA3KOx3W6fHycKL+zID7zy+xZYBuh2fLyQtWV1VGQ45iNRp9+Zo7rH86cdfgkdnWTlNSHyTLW9NbXvyv/E12bppPcEvgCTAQXgnDVJ0/sqmeiijn9tTFh03aM+R2V/21h8aTraAS24qiPCz6gkmYGC8yr6mglcnNoYbsLNYZ69zF1XHcXPduCPdPdfLlzVlKK1/U7hkA28eG3BIAMh6uJYBRJTpiGgaGdPd7YekUB8S6cy+CQIDAQAB" (Note that the keys are the same. For reference, the sha1sum is c33840b49a97cddc65e2c6bd312b2c6e7e6982e8.) Hope this helps, Yan PS: Server operators are recommended to update OpenSSL to 1.0.1f immediately and rotate all private keys that could have been exposed. -- Yan Zhu <[email protected]>, <[email protected]> Staff Technologist Electronic Frontier Foundation https://www.eff.org 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x134
signature.asc
Description: OpenPGP digital signature
_______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
