Thursday, 17 April 2014

Heartbleed Bug Sends Bandwidth Costs Skyrocketing


Chart showing the global spike in revoked certificates after CloudFlare revoked its certificates this week due to Heartbleed. Chart courtesy of the Internet Storm Center.
Chart showing the global spike in revoked certificates after CloudFlare revoked its certificates this week due to Heartbleed.

The exposure of the Heartbleed vulnerability last week had a number of repercussions, one of which was to set off a mad scramble by companies to revoke the SSL certificates for their domains and services and obtain new ones.
The total costs of Heartbleed are yet to be calculated, but CloudFlare has come up with some stunning numbers that give us an idea of the price of a serious bug like this one.
On Wednesday CloudFlare, which provides security for web sites, completed the process of revoking and replacing all of the SSL certificates for its customers, activity that forced issuer GlobalSign to update its Certificate Revocation List.
That CRL is what your browser requests from Certificate Authorities to determine which certificates have been revoked, and can no longer be trusted. If a cert is on the revocation list, your browser is supposed to display a message letting you know that the site you’re trying to access does not have a valid certificate, which is generally a security concern.
In the wake of Heartbleed, the size of those CRLs from Certificate Authorities more than quadrupled in size, due to all of the certs that companies had to revoke and replace.
According to CloudFlare, GlobalSign’s CRL grew from 22KB before Heartbleed to 4.9MB afterward.
The number of revoked certificates on the CRL increased from 1,492 to 133,243. And that was just GlobalSign’s CRL.
The update to the CRL list caused a huge spike in requests from browsers for the latest list, which in turn caused a drain on GlobalSign’s bandwidth.
“The activity of browsers downloading the Globalsign CRL generated around 40Gbps of net new traffic across the Internet,” CloudFlare writes in a blog post published today. “If you assume that the global average price for bandwidth is around $10/Mbps, just supporting the traffic to deliver the CRL would have added $400,000USD to Globalsign’s monthly bandwidth bill.”
That’s not the only issue for a CA, however, for this kind of mass revocation.
“Beyond the cost, many CAs are not setup to be able to handle this increased load,” CloudFlare notes. “Revoking SSL certificates threatens to create a sort of denial of service attack on their own infrastructures.”

No comments:

Post a Comment