The Heartbleed Bug is a serious SSL/TLS encryption vulnerability in the popular OpenSSL cryptographic software library. So what is it?
To put it into layman’s terms, Heartbleed or CVE-2014-0160, depending on your pedantic nature, is a really bad thing.
In less simple terms, the ‘heartbeat’ service of OpenSSL can be exploited to ‘leak’ it’s memory and reveal the contents of of otherwise protected/encrypted data.
But we’ve heard of OpenSSL exploits/vulnerabilities before, why is this one exciting?
Not only does Heartbleed have it’s own logo:
..it has it’s own website: http://heartbleed.com/
If you wanted to know all about it, the heartbleed.com website is full of information and details on the vulnerability if you want to dig right in for maximum info.
Essentially these are the points made:
- This vulnerability has been around for years and so if someone had captured traffic from a year ago, and then got your secret keys with this exploit, this could allow them access to data you thought nobody could touch.
- Using this exploit to impersonate your servers could allow an attacker even more access.
- This is untraceable at the moment, meaning you don’t know what secure/protected content was stolen, or when.
- This isn’t even all about you and your servers, think about the private data of your users and how a common password could be stolen from your server and used to infiltrate other more-secure servers around the internet.
Who is impacted :
- Everyone that uses SSL is impacted in some way. Even if you just have to change some passwords. This will impact you.
- OpenSSL 1.0.1 through 1.0.1f are vulnerable. OpenSSL 1.0.1g and newer are fine. Very old servers that didn’t upgrade to the heartbeat feature may be immune.
- It’s estimated that this applies to over 66% of the web servers on the internet.
What to do :
- Upgrade OpenSSL and/or disable the heartbeat function.
- If you don’t disable the heartbeat function you can expect to be contacted by security teams checking to make sure you’ve upgraded.
- Make sure your users know, either by a site bulletin, or perhaps a blog post?
- Urge users to make password changes once you’ve secured your server.
- Make it clear that users need to update that password on all sites that it was used on.
- Be honest. No data can be assumed private at this point, your users should consider this truth.
- Revoke and reissue your server’s primary keys.
- As servers get patched you can reconnect with them, but there should be a ‘patch first, trust after’ policy.
..and above all else, Don’t Panic.