[HTTPS-E Rulesets] [HTTPS-Everywhere] OpenSSL vulnerability and HTTPS Everywhere

Pablo Castellano pablo at anche.no
Tue Apr 8 06:09:15 PDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks Yan!

For what it's worth I have just written this script in order to check
 it quickly.

https://github.com/PabloCastellano/pablog-scripts/blob/master/browsers_check_extension_keys.py

It supports firefox (several profiles), chromium and chrome.

Regards,
Pablo.


On 08/04/14 02:41, Yan Zhu wrote:
> Hi all,
> 
> A serious vulnerability in OpenSSL 1.0.1-1.0.1f was announced
> today, which allows a connected client or server to read up to 64kb
> of memory at a time. This can be exploited repeatedly to leak
> arbitrary amounts of key material, including private SSL keys and
> Tor Hidden Service private keys. (You can read more about the
> impact on Tor via this blog post: 
> https://blog.torproject.org/blog/openssl-bug-cve-2014-0160.)
> 
> Here's how this bug affects HTTPS Everywhere, to the best of my 
> understanding:
> 
> * The EFF server that hosted HTTPS Everywhere downloads was running
> an affected version of OpenSSL. In theory, this means that an
> attacker could have exploited the vulnerability to get a copy of
> our private SSL key. Note that this also applies to a large
> fraction of the servers on the Internet. In our case, the potential
> damage is mitigated by the fact that our servers supported
> ciphersuites with forward secrecy (such that future compromise of
> our SSL private key can't be used to decrypt past communications).
> 
> * However, even if EFF's private SSL keys have been compromised,
> updates to Firefox and Chrome HTTPS Everywhere are still safe
> (assuming you downloaded a safe copy of HTTPS Everywhere to begin
> with). This is because we sign all updates with an offline key, and
> Firefox/Chrome rejects updates unless they have a valid signature.
> 
> To check that you have a "good" copy of HTTPS Everywhere (one with
> the correct update signing keys), you can do the following:
> 
> 
> # Firefox: 1. Go to your Firefox profile directory: 
> https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data#w_how-do-i-find-my-profile.
>
> 
2. From there, go into ./extensions/https-everywhere at eff.org/
> 3. Open up install.rdf. You should see the following line: 
> <em:updateKey>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MR8W/galdxnpGqBsYbqOzQb2eyW15YFjDDEMI0ZOzt8f504obNs920lDnpPD2/KqgsfjOgw2K7xWDJIj/18xUvWPk3LDkrnokNiRkA3KOx3W6fHycKL+zID7zy+xZYBuh2fLyQtWV1VGQ45iNRp9+Zo7rH86cdfgkdnWTlNSHyTLW9NbXvyv/E12bppPcEvgCTAQXgnDVJ0/sqmeiijn9tTFh03aM+R2V/21h8aTraAS24qiPCz6gkmYGC8yr6mglcnNoYbsLNYZ69zF1XHcXPduCPdPdfLlzVlKK1/U7hkA28eG3BIAMh6uJYBRJTpiGgaGdPd7YekUB8S6cy+CQIDAQAB</em:updateKey>
>
> 
> 
> # Chrome: 1. Go to your Chrome/Chromium profile directory: 
> http://www.chromium.org/user-experience/user-data-directory 2. From
> there, go into 
> ./Extensions/gcbommkclmclpchllfjekcdonpmejbdp/ADDON_VERSION, where 
> ADDON_VERSION should be something like 2014.1.3_0. 3. Open up
> manifest.json. You should see the following value for "key":
> 
> "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MR8W/galdxnpGqBsYbqOzQb2eyW15YFjDDEMI0ZOzt8f504obNs920lDnpPD2/KqgsfjOgw2K7xWDJIj/18xUvWPk3LDkrnokNiRkA3KOx3W6fHycKL+zID7zy+xZYBuh2fLyQtWV1VGQ45iNRp9+Zo7rH86cdfgkdnWTlNSHyTLW9NbXvyv/E12bppPcEvgCTAQXgnDVJ0/sqmeiijn9tTFh03aM+R2V/21h8aTraAS24qiPCz6gkmYGC8yr6mglcnNoYbsLNYZ69zF1XHcXPduCPdPdfLlzVlKK1/U7hkA28eG3BIAMh6uJYBRJTpiGgaGdPd7YekUB8S6cy+CQIDAQAB"
>
> 
> 
> (Note that the keys are the same. For reference, the sha1sum is 
> c33840b49a97cddc65e2c6bd312b2c6e7e6982e8.)
> 
> Hope this helps, Yan
> 
> PS: Server operators are recommended to update OpenSSL to 1.0.1f 
> immediately and rotate all private keys that could have been
> exposed.
> 
> 
> 
> _______________________________________________ HTTPS-Everywhere
> mailing list HTTPS-Everywhere at lists.eff.org 
> https://lists.eff.org/mailman/listinfo/https-everywhere
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTQ/T6AAoJEHj0TzpGP5GcsdoP/3j5AC1KiEl1H9MpSv06RwXv
Pjstx7vEaZgGrmKjx6SCX2tlUsM0W33S5J5WA15v7CdrgO9Ewo74Jl1PTa8Tw1YE
nT0J/WZm6dMQXQ4GPkXRTjOu6BpPAOZVqg3TsAcrxdpA1Kt6TUx7kvbLa8JCsdL/
PmKMAEPASyyHkl2daLT7MrmdJccxrKOfZPoWPZ6Er6xV5kc7+/GAlJHbyr7k3ktu
YKVe+RF+5Z/MnXrbrsdtYOfd6D/t1bOtuGl/IogfuINHNWOMZE8eC29JX106fddW
CaPdbiIcNRGwfgL6c7q7P0FuqN7d45kwwBt3/nLm6wnkJXk97LOF2Dmd90yjpoBf
BRP2KSb9eHMJUrQ+gfzhjOUoSghuais/EgM7kPh/r0rHDgBY2O0c9X1PtrSoUw02
ZJ8zQWIIsWAEKw6XhMNDtmd6yDMEWG2hVORh1xrbubE2Ux+T5oUkHQN4PAZKvvd4
7HegHP7IM3ttH0aY+t7erbkS7qhIBNOmheMd1sZSwIZUZsXA11lCFxnn64gXb1ON
43xX0dCDhLuHda7FedZ4piweT2pNYThu9nhkgUpetl+EpP1htVLqEbSLoLXuwYv7
Wd9Y9XMZ18EMqRiXb0F4zrAw37AKvclGqgv4cENXtj2EiHaneMFN95Ca64xPefeq
aIlunCL5suiuve1bwmkr
=mYxv
-----END PGP SIGNATURE-----


More information about the HTTPS-Everywhere-Rules mailing list