The Heartbleed bug in OpenSSL has been described by Bruce Schneier as “on the scale of 1 to 10, this is an 11“. It means any program using an affected version of OpenSSL could be probed easily for random chunks of its memory – allowing anything the supposedly secure program was working with to be sent over the connection to the other end. This could include passwords in use, session cookies, and most worryingly, the private key of a server. If the private key of a server is known, an attacker can masquerade as the server, intercepting the traffic, or even read previously encrypted traffic, getting login details and more on a continuous basis.

In many ways, a compromised private key is far worse a problem than no security at all – everything appears to be still using state of the art security, but actually there’s no security at all. It’s like a burglar stealing the keys to your house – you can still lock the doors just the same, but it’ll do you no good – you need to change the locks.

The solution to the Heartbleed bug is just as simple, though just as labour intensive – update OpenSSL to a fixed version, and replace your keys, getting a new certificate from your Certificate Authority, and revoking the old one – listing it publicly as being suspect. Most Certificate Authorities handle this as part of the service, but many Open Source project sites use a free certificate. Some CAs offering free certificates charge for revocations, and this has led to a problem for the Prosody IM project, who produce a highly regarded Open Source XMPP Server, that we use for our own internal services here at Surevine.

While some Open Source projects are backed by companies happy to pay the running costs, Prosody, despite being used by a number of large companies, is written and maintained by a handful of independent developers. The Prosody IM project has two certificates, one for its website, and one for its source repository. Both were potentially compromised, and both required fees to revoke. In order to avoid forcing the developers of Prosody to pay these revocation fees themselves, we decided to fund them both to revoke their compromised keys, and pay for them to switch to a better Certification Authority, so they can’t be caught out in the future. It’s our way of thanking them for their excellent software.