[HTTPS-E Rulesets] [HTTPS-Everywhere] OpenSSL vulnerability and HTTPS Everywhere

Yan Zhu yan at eff.org
Tue Apr 8 09:53:04 PDT 2014 

On 04/08/2014 06:09 AM, Pablo Castellano wrote:
> Thanks Yan!
> 
> For what it's worth I have just written this script in order to check
>  it quickly.
> 
> https://github.com/PabloCastellano/pablog-scripts/blob/master/browsers_check_extension_keys.py
> 
> It supports firefox (several profiles), chromium and chrome.

Thanks!

> 
> Regards,
> Pablo.
> 
> 
> On 08/04/14 02:41, Yan Zhu wrote:
>> Hi all,
> 
>> A serious vulnerability in OpenSSL 1.0.1-1.0.1f was announced
>> today, which allows a connected client or server to read up to 64kb
>> of memory at a time. This can be exploited repeatedly to leak
>> arbitrary amounts of key material, including private SSL keys and
>> Tor Hidden Service private keys. (You can read more about the
>> impact on Tor via this blog post:
>> https://blog.torproject.org/blog/openssl-bug-cve-2014-0160.)
> 
>> Here's how this bug affects HTTPS Everywhere, to the best of my
>> understanding:
> 
>> * The EFF server that hosted HTTPS Everywhere downloads was running
>> an affected version of OpenSSL. In theory, this means that an
>> attacker could have exploited the vulnerability to get a copy of
>> our private SSL key. Note that this also applies to a large
>> fraction of the servers on the Internet. In our case, the potential
>> damage is mitigated by the fact that our servers supported
>> ciphersuites with forward secrecy (such that future compromise of
>> our SSL private key can't be used to decrypt past communications).
> 
>> * However, even if EFF's private SSL keys have been compromised,
>> updates to Firefox and Chrome HTTPS Everywhere are still safe
>> (assuming you downloaded a safe copy of HTTPS Everywhere to begin
>> with). This is because we sign all updates with an offline key, and
>> Firefox/Chrome rejects updates unless they have a valid signature.
> 
>> To check that you have a "good" copy of HTTPS Everywhere (one with
>> the correct update signing keys), you can do the following:
> 
> 
>> # Firefox: 1. Go to your Firefox profile directory:
>> https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data#w_how-do-i-find-my-profile.
> 
> 
> 2. From there, go into ./extensions/https-everywhere at eff.org/
>> 3. Open up install.rdf. You should see the following line:
>> <em:updateKey>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MR8W/galdxnpGqBsYbqOzQb2eyW15YFjDDEMI0ZOzt8f504obNs920lDnpPD2/KqgsfjOgw2K7xWDJIj/18xUvWPk3LDkrnokNiRkA3KOx3W6fHycKL+zID7zy+xZYBuh2fLyQtWV1VGQ45iNRp9+Zo7rH86cdfgkdnWTlNSHyTLW9NbXvyv/E12bppPcEvgCTAQXgnDVJ0/sqmeiijn9tTFh03aM+R2V/21h8aTraAS24qiPCz6gkmYGC8yr6mglcnNoYbsLNYZ69zF1XHcXPduCPdPdfLlzVlKK1/U7hkA28eG3BIAMh6uJYBRJTpiGgaGdPd7YekUB8S6cy+CQIDAQAB</em:updateKey>
> 
> 
> 
>> # Chrome: 1. Go to your Chrome/Chromium profile directory:
>> http://www.chromium.org/user-experience/user-data-directory 2. From
>> there, go into
>> ./Extensions/gcbommkclmclpchllfjekcdonpmejbdp/ADDON_VERSION, where
>> ADDON_VERSION should be something like 2014.1.3_0. 3. Open up
>> manifest.json. You should see the following value for "key":
> 
>> "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MR8W/galdxnpGqBsYbqOzQb2eyW15YFjDDEMI0ZOzt8f504obNs920lDnpPD2/KqgsfjOgw2K7xWDJIj/18xUvWPk3LDkrnokNiRkA3KOx3W6fHycKL+zID7zy+xZYBuh2fLyQtWV1VGQ45iNRp9+Zo7rH86cdfgkdnWTlNSHyTLW9NbXvyv/E12bppPcEvgCTAQXgnDVJ0/sqmeiijn9tTFh03aM+R2V/21h8aTraAS24qiPCz6gkmYGC8yr6mglcnNoYbsLNYZ69zF1XHcXPduCPdPdfLlzVlKK1/U7hkA28eG3BIAMh6uJYBRJTpiGgaGdPd7YekUB8S6cy+CQIDAQAB"
> 
> 
> 
>> (Note that the keys are the same. For reference, the sha1sum is
>> c33840b49a97cddc65e2c6bd312b2c6e7e6982e8.)
> 
>> Hope this helps, Yan
> 
>> PS: Server operators are recommended to update OpenSSL to 1.0.1f
>> immediately and rotate all private keys that could have been
>> exposed.
> 
> 
> 
>> _______________________________________________ HTTPS-Everywhere
>> mailing list HTTPS-Everywhere at lists.eff.org
>> https://lists.eff.org/mailman/listinfo/https-everywhere
> 
> 
> 

-- 
Yan Zhu  <yan at eff.org>, <yan at torproject.org>
Staff Technologist
Electronic Frontier Foundation                  https://www.eff.org
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x134

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere-rules/attachments/20140408/3240fd81/attachment.sig>

More information about the HTTPS-Everywhere-Rules mailing list