some guy on the Internet

the network engineer fears the backhoe, and the systems engineer fears the network engineer

PSA: Heartbleed OpenSSL Vulnerability

| Comments

Over dinner last night one of my friends was talking about an OpenSSL vulnerability that had just been disclosed; this morning I took a closer look and decided that I want to boost the signal a bit

The Heartbleed OpenSSL vulnerability affects recent releases of OpenSSL. Affected systems can be made to reveal secret keys; this is arguably one of the worst ways in which an encryption library can fail, and if you are publishing anything that is secured with SSL (e.g. HTTPS, SMTP/IMAP with TLS, LDAPS, to name a few common uses) and using a vulnerable version, then you should treat your keys as compromised, generate a new private key, and generate new certificates.

If you are not your own sysadmin, then you should find out whether your service providers (including your employer) are reacting appropriately to this issue. Responsible service providers may proactively publish statements about the issue; if you don’t find anything on your provider’s website, contact technical support.

More information about this vulnerability can be found by consulting the CERT advisory; there are also some nice StackExchange questions:

  • http://security.stackexchange.com/questions/55076/what-should-a-website-operator-do-about-the-heartbleed-openssl-exploit?
  • https://serverfault.com/questions/587329/heartbleed-what-is-it-and-what-are-options-to-mitigate-it

Responding to security vulnerabilities is always a tradeoff between effort and threat, but this one seems worth paying attention to.

-steve

Comments