"Unfortunately, the certificate revocation process is far from perfect and was never built for revocation at mass scale. If every site revoked its certificates, it would impose a significant burden and performance penalty on the Internet," Sullivan wrote. "At CloudFlare scale the reissuance and revocation process could break the CA infrastructure. So, we’ve spent a significant amount of time talking to our CA partners in order to ensure that we can safely and successfully revoke and reissue our customers' certificates."
More information coming
The certificate-revocation issue is likely to become a major part of a second wave of revelations and discoveries stemming from the Heartbleed bug, which many analysts had predicted could be shut off at the source by upgrading servers to non-vulnerable versions of OpenSSL's SSL/TLS encryption software. Most of the focus last week was on servers using the OpenSSL software to encrypt traffic between servers and browsers using the secure HTTPS protocol.
The lack of confirmed attacks based on the flaw helped dampen hysteria over the bug somewhat by April 11. But the long-term nature of the threat inherent in a bug that could have allowed the theft of identity information for two years while remaining undetected makes it very likely there will be more bad news this week about the impact of Heartbleed, according to a general warning about the bug issued April 11 by the US Department of Homeland Security.
Confusion and false positives are likely to cause some of the confusion. There are already a number of tools available to test a Web site's vulnerability, but some site owners are already asking which ones can be trusted for accuracy when the result of testing tools contradicts the evaluation of OpenSSL about what versions of its software are vulnerable.
The team of researchers who built the University of Michigan ZMap open source network scanner -- which they said can scan all IPV4 addresses on the Internet in less than 45 minutes -- found that HTTPS is not the only vulnerable protocol, and have begun to count the number of servers vulnerable for other reasons.
Many of the utilities listed here, for example, are designed to detect Heartbleed, but may also become tools for hackers looking for vulnerable sites to attack. Despite assurances from OpenSSL that updating server software would solve the problem, but many servers still appear vulnerable to attacks on HTTPS sessions, and other protocols using TLS's encryption-over-UDP are also coming under suspicion.
How did it start?
Discussions among researchers and site-security specialists has built a body of knowledge about how to find and fix the problem, including the reason the faulty "heartbeat" feature was introduced in the first place and how it works. (Official explanation from IETF documents is available here.)