Heartbleed bug on OpenSSL: who is at risk?
HEARTBLEED BUG ON OPENSSL: WHO IS AT RISK?
Heartbleed is a bug that was discovered on April 7th, 2014 in OpenSSL versions 1.0.1 to 1.0.1f. OpenSSL is an open-source library used to implement TLS/SSL protocols on a web server.
OpenSSL is used everywhere in the world. It represents 66% of HTTPS server installations, according to a Netcraft survey carried out in April 2014.
The bug, which is officially referenced as CVE-2014-0160, has resided in production versions of OpenSSL for more than two years. It allows anyone to access server data without the need for ID or passwords. Highly sensitive data, such as user IDs, passwords, or even the private key of SSL certificates could potentially be accessed.
Suffice to say that we are taking this bug seriously, especially as attacks using this bug leave no traces in server logs. It is therefore impossible to know if it has already been exploited, or if your server has been compromised.
What should you do?
If you are using OpenSSL versions from 1.0.1 to 1.0.1f, carry out the following steps:
- Update OpenSSL immediately. The latest version, which fixes the bug, is 1.0.1g. Ensure that the libssl1.0.0 package has been updated as well (that package contains the actual library, and the openssl package contains the tools) and that all services using the library have been restarted after the upgrade.
- You must then reissue your SSL certificate. Please follow this process:
- Create a new private key and generate a new CSR.
- Re-issue your certificate. You can of course take this opportunity to renew your SSL certificate. Just give us a call on 800 180 220 or email info@SSL247.pt. If you are already an SSL247® customer, you can contact your dedicated account manager.
- Once the new certificate is installed it is necessary to revoke the previous one. You must ensure that your old private/public keys are fully disabled.
- As a safety measure, change as many passwords as possible and consider all your previous session keys and session cookies as potentially compromised.
Do not hesitate to contact the SSL247® team, specialists in Web Security, if you need any help. You can reach us by calling 800 180 220, or alternatively you can email us at info@SSL247.pt.
Mande-nos seus comentários
Seu comentário não será publicado. Se tiver alguma pergunta, não esqueça de informar seu enderêço de email para que possamos contacta-lo.