Heartbleed Vulnerability in OpenSSL (CVE-2014-0160)
Since it hit the news on Monday, the technical support world has been scrambling to contain the damage from the Heartbleed vulnerability in OpenSSL, a piece of software that is widely used to provide encryption in web servers, VPNs and embedded devices. Any web site that connects as "https" is likely using OpenSSL. The vulnerability allows an attacker to gain access to memory on the server and to obtain the private key used for encryption on the server. With the private key, the attacker can then listen to encrypted conversations containing user IDs and passwords. With a password, the attacker can then log in as an authenticated user--potentially an authorized administrative user and get access to a variety of confidential information. If an attacker manages to get a private key while a system is vulnerable, the attacker will still be able to listen to conversations until both openssl is patched AND the private key and related certificates are replaced.
The vulnerability was present in released code for about two years before security researchers identified it. The vulnerability announcement is located at https://www.openssl.org/news/secadv_20140407.txt.
Actions for Managers
System administrators should update systems with the patched version of openssl immediately for web servers, routers and other devices that are vulnerable. SSL private keys and certificates will have to be replaced. Managers and executives should verify that this is happening.
Cisco has released an advisory for products that are vulerable; the advisory is located at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed Check with your VPN vendor to determine whether or not your enterprise VPN software is vulnerable.
Even if your site was not vulnerable, you might consider updating your certificate as reassurance to your users--an issue date after 2014-04-07 is perhaps the only way to determine that your site is secure.
If your IT department has users of Cygwin (Windows) and Macports (OS X) Unix/Linux command shell and utilities, they will need to update software to get the patched version of OpenSSL, but these are not widely used as web servers. This list is just the start of the software that is affected by this vulnerability.
My hosting firm, ipage.com, updated all servers on Monday with the release of the patched code, but didn't restart the web server on my VPS until I checked with them on Wednesday. Small business owners should verify that their web hosting firms have done the necessary updates and re-boots. I'm not looking forward to the process of revoking my existing certificate and getting a new one.
Actions for Users on Internet Sites
Users should change all passwords AFTER verifying that the various web sites have installed the patch. Don't reuse passwords--you should get a password manager and use a different strong password for each web site. A security researcher/consultant in Italy wrote an exploit and installed it on his server to allow users to test web sites. There are web sites where you can test for the vulnerability before changing passwords:
- See http://filippo.io/Heartbleed/ This was the first site to be set up with significant publicity. It is run by a cryptography consultant and will probably be swamped in the coming days.
- McAfee has provided a site to test systems as well; http://tif.mcafee.com/heartbleedtest?cid=146327&ctst=1.
You should change passwords again (or for the first time) after sites have replaced their private keys and SSL certificates--the Certificate Authorities are probably swamped right now and are likely to be one of the choke points at fixing this vulnerability. To tell whether or not a web site's private key and cerificate have been replaced, click on the lock icon in your browser. It may take a few clicks, but you should be able to view the certificate issue date; look for an issue date after 2014-04-07. If this sounds like a serious pain, it is. I don't have suggestions for a way around it. There is an example below
Actions for Home Networks and Small Business Owners
The problem is not limited to web servers. Because OpenSSL is open source, it is widely used in embedded devices--especially Wi-Fi routers. OpenSSL can be used in the implemention of WPA encryption, and may be vulnerable. The https administration console may also be vulnerable. If a device has vulnerable firmware, but the manufacturer has does not issue an update, you may be able to salvage the device by installing an open source firmware like DD-WRT. Home owners and small business owners rarely update firmware, so the Heartbleed vulnerability is just one of many vulnerabilities on a typical Wi-Fi router.
Users of Cygwin (Windows) and Macports (OS X) Unix/Linux command shell and utilities need to update software to get the patched version of OpenSSL, but these are not widely used as web servers. This list is just the start of the software that is affected by this vulnerability.
Actions for Cell Phone Users
Some cell phones also have the vulnerable version of OpenSSL--Android 4.1.1 and some Blackberry iOS and Android applications in particular. Avoid using your device as a Wi-Fi hotspot until your phone's firmware has been updated. There may be other functions that are vulnerable.
Don't ignore this vulnerability.
Example of Checking a Certificate's Issue Date
To check whether or not a web site has replaced their private keys and has thus finished remediation of the Heartbleed vulnerability, check the issue date of their SSL certificates.
- First, click on the lock icon in the upper left corner of the URL for the web site. This is just to the left of https://www.google.com in the figure below. In the pop-up, select \"More Information\".
- Second, in the Page Info window, select the "View Certificate" button half way down on the right side.
- Finally, look at the "Issued On" date under the "Validity" section of the Certificate Viewer. Generally, this should be 2014-04-07 or later. A Google researcher was one of the ones who identified the Hearbleed vulnerability, so Google got a head start on remediating their systems. That is why they have certificate issue dates of 2014-04-02 instead of 2014-04-07.
- Written by Bruce Moore
- Hits: 7356
Email Security Part 2: Digitally Signing Your Email
This is the second in a series of articles on how to secure your email. Securing Your Email Part 1: Verifying the Sender covers the reasons for setting up your email clients to send and receive digitally signed and encrypted email. If you haven't read it, the procedures in this article will be easier to follow if you have already read Part 1.
In this article, we'll go through the process of setting up a private key that you install only on your computer, and a public certificate (public key) that is attached to your email and which others will use to encrypt mail sent to you. Your private key and the certificates should be stored in a password protected file, and generally shouldn't be kept on your computer except where they are installed in the Operating System or your email client, where they are protected by encryption.
If you want to find out more about how all of this works, Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age by Steven Levy is a good non-technical book on how public key encryption works.
This article covers how to obtain an S/MIME certificate and how to install and use it on several major email clients:
- Obtaining an S/MIME Certificate for Your Email Address
- Installing and using the S/MIME Certificate on Thunderbird
- Installing and using the S/MIME Certificate on Microsoft Outlook
- Installing and using the S/MIME Certificate on Mac OS X Email Client
- Installing and using the S/MIME Certificate on an iPhone
Note that some illustrations show “StartCom” certificates. This article was originally written when StartCom was a reliable certificate vendor. In 2016, it was purchased by another vendor and issued some fruadulent certificates; it was subsequently removed as a Certificate Authority from most browsers and email clients. At some point I will go back and update all of these screen captures.
Obtaining an S/MIME Certificate for Your Email Address
There are a number of S/MIME certificate vendors that can provide you with a certificate to use for S/MIME email signing and encryption (kind of a mouthful sentence isn't it). Here are a few that offer free email certificates, although it may be hard to find the free offerings on some sites:
There are numerous other certificate vendors. As a rule, stick to one that offers an "Extended Validation" certificate, even though you won't be using one of these. This generally guarantees that the vendor's Certificate Authority root certificate will be installed as part of the Microsoft, Apple, and Android maintenance streams and that neither you nor the people with whom you correspond will need to accept a root certificate (there is risk in accepting root certificates). There are a couple of "Community Certificate Authority" services, but they generally don't have their root certificates accepted into the operating system maintenance streams.
For the free low-verification (Class 1) certificates, the vendor will send you an email with a link that you need to click on to verify that you are the email owner. If you want to pay for an Individual or Organization Class 2 certificate or an Extended Validation certificate, you will need to supply a driver's licence (or passport) and other information that the vendor will use to verify your identity and authorization to obtain and control the certificates. You pay for the investigation--not the certificate, so make sure that you have all of the documentation together before applying so that they investigation is successful.
The tutorial that follows is for Comodo, the vendor that I have used.
If you are using an Apple, computer, do all of this in Safari rather than Firefox or Chrome, even if those are your normal browsers. If you do this in Safari, it will automatically place the certificates in the Keychain where they are directly usable by the OS X email client. If you do this in Firefox or Chrome, the certificates may stay within the browser's keystore, in which case you will need to export them and import them into the keychain.
Similarly, if you are on Windows, do this under Internet Explorer, as it may place them directly in the Certificate Manager (same thing as Apple's keychain) without any intervention on your part. In either case, you will still need to make an off-computer back-up that is stored in an encrypted file.
- From the home screen, select "Sign Up Now" in the lower left corner
- Wait for the selection list for “Private Key Options” to appear before you start to enter your identification information. Unfortunately, the screen will paint without any indication that the key quality option will appear; while it is doing this, Firefox is generating a random number that it will use to generate a private key and then a “Certificate Request”. It will take Firefox a couple of minutes to generate the private key. If you proceed with entering your personal information, Comodo will come back with an error message that Firefox did not send a Certificate Request. Protect the private key and certificate as you would a password, and make sure to store a backup copy.
- Go to your email and click on the “Click and install Comodo Email Certificate” link.
- Firefox will automatically import the certificate into the Firefox Certificate Manager. If you use Windows Explorer, it will import it into the Windows Certificate Manager.
- It will install the certificate in your browser's keystore. For Safari on OS X, this is shared with the OS X email client--if you restart your email program, you can skip to Installing and using the S/MIME Certificate on Mac OS X Email Client.
- When you get back to the Control Panel, go to the Validations Wizard and validate all of your other email addresses.
- In Firefox, backup the certificates to a USB drive that you can store safely. It will prompt you for a password. Use a strong one. You will use this file to import certificates into Thunderbird, Outlook on your laptop, your iPhone or other devices that you use.
- Note that all subsequent illustrations show “StartCom” certificates. This article was originally written when StartCom was a reliable certificate vendor. In 2016, it was purchased by another vendor and issued some fraudulent certificates; it was subsequently removed as a Certificate Authority from most browsers and email clients. At some point I will go back and update all of these screen captures.
- If you use an OS X machine, you should back up your certificates to a USB drive that you can store safely. Use the keychain access program. You will need to select the private keys and certificates for each email address. In most areas, OS X is the easiest platform for S/MIME, but in this step, it is the hardest and most error prone. Select File->Export Items. It will prompt you for a filename and file type--take the default .p12 file type. When prompted, use a strong password.
- If you use Windows, you should back up your certificates to a USB drive that you can store safely. Use Internet Explorer or run certmgr.msc. The instructions that follow are for Internet Explorer.
- In Internet Explorer, select Options->Content->Certificates
- Next, select Export
- When it prompts, select "yes" to export the private key. It will require a password--use a strong one.
When you have finished generating and backup up your certificates and private keys, you are ready to copy install them on other computers or devices. The next sections show you how to install your certificates and private keys on other devices so that you can digitally sign and encrypt emails on all devices.
Installing and using the S/MIME Certificate on Thunderbird
Installing and signing email on Thunderbird requires installing your private key and certificates, assigning the certificate to use for each email account, and setting the default value for whether or not to digitally sign and/or encrypt each email.
Installing your Private Key and Certificates on Thunderbird
The first step in setting up Thunderbird is to install the certificates that you obtained in the previous step. To do this, go to Edit->Preferences->Advanced->Certificates. You will see a display something like the figure below. Select Import and go through the dialog to find the backup file with your certificate and private key from your USB drive. It will prompt you for the password to open the backup file and then it will import them to the list under "your certificates."
Setting the Certificate to use for Each Email Account
The next step is to go to each email account and select the certificate for that email account and set the defaults that you want to use as in the figure below. The whole point of this exercise is to authenticate your email, so go ahead and check the "Digitally sign messages" box.
If you check the encryption box, understand that it will only work for email recipients for whom you have a certificate--probably not very many people at this point in time. If you CC a bunch of people, you would need certificates for each of the people that you have cc'd. The email is stored unencrypted on your disk drive; the recipient may choose to store it encrypted or unencrypted.
Sending a Signed and/or Encrypted Email
Finally, we are ready to send a signed or encrypted email. Note that if you choose encryption, the sender, recipients and subject line are never encrypted...just the contents. The figure below shows the "send" dialog on Thunderbird--notice the S/MIME pulldown on the toolbar. To change whether or not the email is signed or encrypted, just click on one of the items in the pulldown. If you select "View Security Info" it will give you a dialog box with information on the certificates of the recipients.
Installing and using the S/MIME Certificate on Microsoft Outlook
To sign and encrypt email on Outlook, you must first install your private key and public certificate. In Outlook
- Go to File->Options->Trust Center->Trust Center Settings->Email Security. Put a check mark in the setting to digitally sign emails by default.
- Within Trust Center, go to E-Mail Security and select Import/Export and use the Browse button to locate the .p12 file; enter the password for the certificate backup file and a name. The name doesn't appear to need to match up to anything.
- Accept the default of "medium" for the access level for this private key and certificate. This will prompt you once for each certificate in the file, but it won't give you an indication of the certificate that it is importing.
- If you want to review the certificates that you imported, use enter certmgr.msc in Run Program.
Sending Signed Email
Sending signed email the first time will generate a couple of one-time only promopts. To start off, let's make sure that we have set the defaults:
- Start a new email and then go to File->Properties
- Select Security. The check box for digitally signed should be checked
- When you hit "send" you will get a very cryptic prompt to ask for access the private key that is needed to digitally sign (or encrypt) the email. Select "Allow."
Installing and using the S/MIME Certificate on Mac OS X Email Client
Installing your Private Key and S/MIME Certificate on Mac OS X
The first step in sending digitally signed email is to install your private key and certificate on Mac OS X. To do this, take the key backup file (.p12 file type) and select it from finder. It will prompt you for the password to the backup file. When you enter the password, it will automatically import your private key and certificate into your keychain (keystore) and bring up the Keychain Access application. You do not need to do anything more, though it may be interesting to see all of the keys and certificates in the keychain. If you look around, you will see both the certificate and the private key that you just installed for your email account. If you have received signed email previously, you will see the certificates from those senders.
Sending Signed Email
Since we installed our private key and certificate in the previous step, the "send mail" window changed--it will now have a lock icon and a check-mark icon immediately to the right of the signature selection control as shown in the figure below. The digital signature property is now selected by default but the lock icon will show as unlocked until we enter a recipient from whom we have a certificate.
If you change the signature property, it will stay unchecked for subsequent emails until you change it back to checked.When you send an email the first time after you install your key and certificates, the email client will ask for access to your "keystore." You will need to allow access, otherwise the email client will not be able to sign and/or encrypt the email.
Sending Encrypted Email
To send an encrypted email, enter the email recipient in the "To:" area, and select the lock icon. If it won't lock, that means that you don't have a certificate for this person, and you can't send them encypted email. If you do have a certificate, it will now lock (encrypt) for all email sent to that email address unless you unlock the icon.
It is important to remember that you must have a certificate from someone before you can send them encrypted email. When you receive a digitally signed email from someone, the Mac OS X client will automatically install their certificate in the keystore for you.
Installing and using the S/MIME Certificate on an iPhone
If you haven't already done so, you should make sure to set a lock password on your iPhone so that if you lose your device, your email isn't compromised. Similarly, make sure to set the remote wipe capability.
The hardest part in setting up an iPhone to send digitally signed and encrypted email is getting the certificate backup file onto the iPhone. Here are the steps to do this:
- Export each certificate as an individual backup file.
- Copy the files to the iPhone using one of two methods:
- Copy each certificate file to iCloud drive
- Email it (easy, but probably less secure)
- Select the file and follow the prompts to enter your iPhone lock code followed by the certificate backup password.
Once you have the certificates installed on your phone, you will need to go into settings to set up your email account to use it to send mail.
- Open settings and choose “Accounts and Passwords”.
- Select the account where you want to use the S/MIME certificate.
- Select the email account account again at the right arrow.
- On the account settings screen, open the “Advanced” settings.
- On the Advanced Settings screen, enable S/MIME and select “Sign”.
- On the digital signature screen, select the certificate that you want to use for this email account.
- Written by Bruce Moore
- Hits: 18692
I did a presentation on Internet security to my Toastmasters club, Hillcrest Toastmasters recently. Several people asked me for a copy of the slides so that they could take some of the actions that I discussed. The presentation covers why to set up S/MIME certificates for sending and receiving digitally signed and encrypted email. It also covers why you should use HTTPS as a user and as a web site administrator.
Detailed instructions on how to set up the email security settings are described in two more recent articles:
- Email Security Part 1: Verifying an Email Sender\'s Identity
- Email Security Part 2: Digitally Signing Your Email
- Written by Bruce Moore
- Hits: 7218
Part 1: Verifying an Email Sender's Identity
Recently, someone hacked the Gmail account of "Susan", one of my wife's friends, and started sending emails with a link to a website that presumably would attempt to install malware on the recipient's phone or computer. My wife was suspicious of the email and replied asking if this was a really Susan. The response came back quickly...yes it was Susan and she should click on the link for the really cool photo. Still suspicious, my wife called Susan, who said that she did not send the email and was understandably apoplectic that someone else was in control of her Gmail account.
My wife sent a note to all of their mutual friends telling them about the compromised email and not to click on any of the links--Susan couldn't send the email, because she didn't have control of the account. A friend replied that she had almost been fooled, and was about to click on the link. Her antivirus software might, or might not have stopped the malware attack.
Receiving spoofed or hacked email from a trusted friend's email address is all to common today. How can you tell that your friend is actually the person that sent the email? Fortunately, there is a way to do this, but it isn't really used all that often. The article that follows will tell you how to set things up to tell whether or not the email you receive is from a trusted friend--if they take some steps on their side as well.
The article will cover setting up your email clients to receive Secure/Multipurpose Internet Mail Extensions (S/MIME). S/MIME is a protocol that allows a sender to digitally sign an email to authenticate themselves, and to allow you to send encrypted email to them. It is based upon the signer obtaining an SSL certificate from an authorized Certificate Authority (CA). To digitally authenticate the email that they send, your friends will have to obtain and install a certificate. To authenticate the email that you send, you will need to obtain and install a certificate. This article discusses how to receive S/MIME email. A separate article will discuss how you can send S/MIME email to authenticate the emails that you send and to allow others to encrypt emails sent to you.
The article covers the following topics:
- Choosing phone and email clients that support S/MIME
- Receiving a digitally signed email on an iPhone
- Receiving a digitally signed email on Thunderbird (Windows, Mac and Linux)
- Receiving a digitally signed email on Microsoft Outlook
- Receiving a digitally signed email email on OS X email client
- Receiving a digitally signed email on Firefox for a Gmail account
Choosing phone and email clients that support S/MIME
There are many email clients that support S/MIME, but the following are some of the popular clients that offer support
- Microsoft Outlook
- Gmail within Firefox with "Gmail S/MIME" or "Panango" add-on. Panango is also available for Microsoft Internet Explorer
The following popular email clients DO NOT at this writing support S/MIME email. This is not a comprehensive list.
- Gmail within Chrome/Chromium
Choosing a phone that supports S/MIME is easy--get an iPhone. align=center although there are corporate S/MIME email solutions available for Windows, Android and Blackberry, the iPhone is the only one with a convenient consumer solution. If someone knows of a client for these devices, please, please tell me.
On Android, Dgigzo, R2Mail2 and a few others offer consumer email solutions, but they aren't really all that convenient--you have to know a number of settings for you email server to get them working.
I haven't been able to find consumer S/MIME clients on Windows and Blackberry.
Receiving a Digitally Signed Email on an iPhone
Turning on S/MIME for an iPhone
Since my wife and many of her friends do most of their email on an iPhone, that is the first device that I'll cover. Surprisingly, you have to turn on a setting to receive S/MIME email--it isn't on by default.
For each email account on your iPhone, go to the Advanced settings and turn on S/MIME as in the screen capture below:
Notice that the Sign and Encrypt sliders are still turned off--we will turn those on in the article on setting up to authenticate the email that you send. For now, let's look at an email to figure out how to tell if it was digitally signed.
Receiving a Digitally Signed Email on an iPhone
In the email below notice that blue circle with the check-mark that you've never seen before, and which only shows up on some emails. This circle means that the email was digitally signed and that the iPhone client has verified the signature against the Certificate Authority. If your phone does not have a data connection when you open the email, or the signature is invalid, it will show up as red.
Since all of my email is digitally signed, my wife knows not to trust any from me that does not have the blue circle.
To find out more about the sender, select the sender's name to get the address book entry
Viewing a certificate, then installing it
From here, select "View Certificate" to look at the information on the certificate.
Installing a certificate...this allows you to send encrypted email to the person named on certificate
The "View Certificate" screen shows which Certificate Authority issued the certificate and whether or not it has been validated against the CA. For untrusted certificates, you can view the reason for the problem. You might accept a recently expired certificate, but you shouldn't do that as a standard practice. Email certificates are usually good for one year.
The next step is to install my certificate on my wife's phone so that she can send encrypted email to me if she wishes. Select "Install" and that's about it. If you send or recieve enctyped email, it is imperative that you have antivirus scanning software. Most email providers have some antivirus scanning capability in their servers, but these scanners cannot scan an encrypted email or attachment--that can only be done by antivirus software on the client after it decrypts the email.
View the certificate chain
If a certificate from someone that you normally trust shows up as untrusted, the most likely cause is an expired certificate. Most commonly, the person forgot to renew it and get a new one (you will have to install the new one), but sometimes it means that you are woefully out of date on your device software.
In the certificate chain below, You will notice that the Certificate Authority root certificate installed on the phone has an expiration date. Apple distributes updated root certificates as part of the IOS maintenance process. If you haven't applied maintenance in a long time, some of your root certificates may have expired. This will cause the email sender's certificate to show as untrusted even though it has not expired. Never, ever install a root certificate unless it is part of the normal maintenance stream for your device.
Receiving a Digitally Signed Email on Thunderbird (Windows, Mac and Linux)
Thunderbird is an old email client that runs on Windows, OS X and on Linux. To receive digitally signed email, you don't need to do anything. In the figure below, the small envelope with the red sealing wax in the email header indicates that this email was digitally signed. If you click on the envelope icon, it will give you information about the certificate.
Receiving a Digitally Signed Email on Outlook
In Microsoft Outlook, the red ribbon in the email header indicates that the email was digitally signed. Clicking on the ribbon icon will give you information about the certificate.
Receiving a Digitally Signed Email on OS X Email Client
In the Apple OS X 10.9 email client, there is no default display of whether or not an email was signed.
To find out if the email was signed, you must select the "Details" text in blue, which will display the certificate information shown below. Once you turn on the details display, it will stay on for reading other emails.
Receiving a Digitally Signed Email on Firefox for a Gmail Account
The first step in using S/MIME to sign or encrypt Gmail using a browser is to install a browser and extension that supports S/MIME signing and encryption. At this writing, Chrome doesn't have add-ons or otherwise offer the support for S/MIME certificates. On Firefox, the Gmail S/MIME and Panango add-ons provide S/MIME support, but I was not able to get either one to work on Firefox 28.0 on Ubuntu Linux. Panango is available for Microsoft Internet Explorer, but I have not attempted to use this configuration.
The preferences for S/MIME and Panango are needed for sending email but not for receiving it.
Sending Digitally Signed Email
To send digitally signed email, go to the next article in this series Email Security Part 2: Digitally Signing your Email
- Written by Bruce Moore
- Hits: 24278
The February 22, 2014 DFW R User Group presentation will survey the graphics capabilities in R. The presentation covers
- gnuplot (not part of R, but a useful graphics tool that everyone should know).
- Basic R plot command
- ggplot2 graphics package
- lattice graphics package
- rgl visualization package
- qrencode for generating two dimensional bar codes (not part of R, but very helpful)
- Imagemagick graphic file conversion utility (not part of R, but very helpful)
The emphasis will be on doing basic plots in each tool and then discussing which tool to use for a particular graphics task.
The presentation file is available at here. Because the presentation includes a lot of graphics, it is about 6M.
- Written by Bruce Moore
- Hits: 6970