ÃÛÌÒTV

News 04-11-2014

Heartbleed and the Problem of NotBefore Date

Jeff Snider

It is standard practice among Certificate Authorities, when re-keying an SSL certificate, to keep everything in the cert the same except for information related to the actual keys that have been changed.

That includes the validity dates, which has become an issue in the past day or so as at least one tool to test for Heartbleed vulnerability is looking at the NotBefore field (the beginning date) of a certificate to determine if it was issued before or after the Heartbleed fix on Monday.

Why you can't rely on NotBefore Date

There are a couple major flaws with this approach to Heartbleed vulnerability scanning:

  1. A site could have a new certificate, but if they installed it before patching their OpenSSL installation, it is subject to the same vulnerabilities as the previous certificate.
  2. Very few certificates that have been re-keyed will show a new NotBefore date.

SSL EncryptionÌýis at the coreÌýof online data security. As such, ÃÛÌÒTV has released a freeÌýCertificate Inspector. The Certificate InspectorÌýcloud-based certificate management platform allows administrators toÌýreview allÌýcertificates used by their servers and automatically ensure that they are not vulnerable to Heartbleed and a number of other critical security vulnerabilities.ÌýCertificate Inspector’s uniqueÌýalgorithm assigns grades to your certificates and their implementations, and provides an easy to follow list of remediation actions.

We have contacted the makers of the one tool we are aware of and urged them to change their methodology to be more in line with the actual practices of CAs. We urge the makers of any other similar tools to do the same. Until then, many sites that have patched the security hole will continue to return false positives.

Check the security of any site online

Users can also review individual sites for Heartbleed protection by using the ÃÛÌÒTV Certificate Checker tool for free on by going toÌýdigicert.com/help. The ÃÛÌÒTV Certificate Checker allows users to check the security for any site on the InternetÌýusing an SSL Certificates from anyÌýCertificate Providers. The checker also includes Heartbleed Detection andÌýensuresÌýthat sites are not vulnerable to weak keys orÌýother server security vulnerabilities.
UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-27-2024

6 actionable ways to secure the IIoT at every stage

Tracking the progress toward post-quantum cryptography

The state of PQC since the publication of FIPS 203, 204 and 205