Warning: Do not sign in to Nominet secure managment panel

Nominet secure site at http://secure.nominet.org.uk, which all customers use for administering their accounts, managing and transferring domain names is currently vulnerable to Heartbleed SSL bug widely reported since 7 April evening. Using a simple exploit, which is publically available and easy to find, anyone can obtain chunks of Nominet`s server memory which containts sensitive data, unencrypted. This includes, but not limited to, user passwords in clear-text, site access cookies, personal details and credit card details.. basically every bit of info which could come up after users signing in to their website and using it.

Besides that, Nominet’s SSL private keys and other vital secrets on the server could be compromised.

I notified Nominet yesterday at around 11pm – I don’t have direct contact to administrators so I wrote to my 2nd-level (more technical) customer support contact. They sent a reply at 8:28am today that this was passed to administrators.

At the time of writing this (11:40am) their site is still running vulnerable. I don’t know, perhaps they underestimate the seriousness of this issue, but they should have immediately taken down the whole management interface until the bug can be fixed.

Keeping it running and letting users sign in is absolutely reckless on their part, because every signing in user’s credentials can be seen in plain-text by attackers (and I bet there are enough of them watching & peeking through Nominet`s server memory at the moment).

Once this is fixed, a serious mitigation procedure will be required, involving contacting all customers to reset their passwords and re-generating their SSL keys at the very least…

It is surprising to see a national domain registry being so out of date on vital security issues of such important scale. Every minute counts and their admins should have been on security-mailing lists of software/operation systems they run on their servers, received & acted on this urgent alert minutes after disclosure. Not running vulnerable 2 days after, when even non-technical news sources already wrote about the issue…. Won’t be surprised if DailyMail reports it and Nominet is still running unpatched… :((

Update: Apparently, at least one other person reported this to Nominet via Twitter yesterday at 3pm. I am shocked this is still not acted upon.

Fixed

I received update from Nominet that the issue was fixed before noon. I guess it must have been fixed minutes after I checked it last time whilst it was still exploitable.

No word yet about implications of having customer’s passwords/data in public domain for 2 days.. or recall of Nominet’s SSL keys. If they don’t do anything – then their security compliance is a joke.

Next update – Nominet CTO responds:

 

In Nominet’s official response CTO is not telling the truth or takes a totally amateurish stance:

Many companies, including Nominet, use this software to help build their secure systems, so this flaw is very widespread. We, amongst many, have reacted quickly and ‘patched’ our systems.

No, how Nominet reacted is absolutely unacceptable. The bug was disclosed on all security mailing lists on the 7th of April. Nominet fixed the issue only 48 hours later, after concerned members (me included) started to notify and urge Nominet to take action. While most organizations of Nominet`s size & importance fixed the issue within minutes or at least hours – not days!

Nominet has seen no indication, in any of our systems, that this vulnerability has been exploited; however this acts as a timely reminder to ensure that we all look after and regularly change our usernames and passwords. If you use the same details across more than one website or service, now may be a good time for a regular refresh of these.

Nominet didn’t notice any exploitation attempts because exploitation is not sent to the logs. It is not possible to see whether the issue was exploited or not. The maximum they could see are connection attempts to establish SSL session. Unless Nominet captures and records all outgoing/incoming traffic (which is unlikely). CTO is trying to downplay the issue, when instead Nominet should be considering their server(s) compromised and revoking/re-generating SSL keys (as most other responsible organisations already did) and at least reset all passwords for users who has logged in in the last 3 days. I don’t even mention how this was also leaking customer`s personal and payment details… of course it would be PITA to inform everyone and revoke passwords/certificates – but THAT IS how responsible remediation must be done.

If you don’t believe me, read experts. As The Register quotes Mark Schloesser , security researcher at Rapid7, the developers of penetration-testing tool Metasploit:

Affected systems get updated but that’s just the start of security remediation. To mitigate against attacks resulting from leaked material, any SSL keys from affected systems should be replaced and revoked,” he added.

It was a very lame answer from Nominet.. I didn’t know that they are so irresponsible and have no standby sysadmins reading important security mailing lists?! How about using some of these excess money currently put into Nominet trust for gifting, to employ a full-time, security-conscious admin?

Nominet has re-generated their SSL key today. PS: If Nominet doesn’t change their SSL keys, their online service should be considered compromised. Customers will have to remember that it could be possible for someone in the future to eavesdrop on their communications with Nominet and intercept sensitive data, including logins and passwords. If this results in someone’s domains being stolen, Nominet could be subject to a successful law suit because they knew their encryption could have been compromised to endanger future transactions, but was reckless to make any mitigations.

10/04 – Nominet just issued another update via nom-announce mailing list:

Date: Thu, 10 Apr 2014 11:30:52 +0000

We have seen no unusual activity on any of our systems to indicate that advantage has been taken of the vulnerability. However, as a precaution we are contacting users who logged into our systems recently to advise them to change their password.

I am glad to see that they chosen to take appropriate mitigation and my campaigning wasn’t futile.