The Internet's Bleeding Heart: What you need to do

Posted in Knowledgebase | 10 April 2014 | Tagged with #heartbleed, Heartbleed, Heart Bleed, SSL Certificates

Recently a critical flaw in the security underpinning the majority of the Internet was discovered. Most of us have been taught that if your web browser displays a green padlock, that your connection with that website is secure.

For the time being this is no longer the case.

 

What everybody needs to do

Check to see if the website is affected

Before you login to a website you need to make sure the owners have taken steps to fix their servers.

LastPass have released an online tool you can use to check if a website is likely affected by the issue. Visit https://lastpass.com/heartbleed and enter the address of the website. If the site is still vulnerable do not login to the site. Check it again later and wait until it's reported as safe.

Change your password

Once you know the owners of the website have taken steps to protect you from the vulnerability you need to change your password. The vulnerability is severe enough that you should assume your username and password were compromised. Do not change your password before verifying the website has been patched, your new password could still be intercepted or otherwise compromised.

If you use the same password on any other websites you need to change it there too, even if the website isn't affected.

What server administrators need to do

Update your server software

OpenSSL version 1.0.1g is patched against this issue. If you are running a previous version you need to update immediately. If you are using OpenSSL 1.0.2 you need to update to 1.0.2-beta2. Refer to the security advisory link at the bottom of this post if you are unable to upgrade for a workaround.

Revoke SSL certificates and generate new private keys

The severity of the issue means that your server's private key may have been stolen. You will need to revoke any existing SSL certificates, destroy the private key and generate new ones (yes, it's that bad).

The vulnerability allows an attacker to read up to 64KB of system memory, that memory may contain your private key.

Invalidate browser sessions

All existing browser sessions for your clients should be treated as compromised and should be invalidated. Most web applications have a concept of a "secret key" or "secret token", review the documentation of your applications to find where to set this and change it. This will cause all previously set session cookies to fail validation and force your users to relogin.

Notify your customers

Let your customers know that you have fixed the issue and inform them that they need to login and change their passwords.

 

Give us a call on 0113 8873 999 if you have any questions about what you should do now.

 

References

OpenSSL Security Advisory (CVE-2014-0106) https://www.openssl.org/news/secadv_20140407.txt

Written by Oliver Heard

Leave us a comment

How to find us

Need to drop anything off to us? Here's our office address. If you need any more help finding us then please don't hesitate to call us.

The Round Foundry Media Centre
Foundry Street
Leeds
West Yorkshire
LS11 5QP
T : 0113 887 3999
F : 0113 394 4501
E :

Alternatively if you would like to send us a message then please click here to visit out contact page.

aFinite is a trading name of aFinite Limited, registered in England and Wales no 04581730 VAT Registration No GB 827 9921 82.

Terms and Conditions | Privacy Policy | Third Party Disclaimer

Follow us on Twitter
Find us on Facebook