Fighting the Heartbleed Bug
[ updated 4/11/14 ]
Many of our clients are interested in fighting the “heartbleed bug.” Is this something you need to take seriously? If so, how should you manage your actions?
First of all, what is the heartbleed bug?
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by “vulnerable versions” of OpenSSL software. What this means in layperson’s terms is that the bug will compromise the secret keys used to identify the various service providers and as a result, capturing Internet traffic, the names and passwords of the users for affected sites and the actual content of those sites. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate those services and users. Put another way, it’s bad stuff.
How do I know if I’ve been affected?
The real issue is that if you haven’t been affected yet, you may be in the near future. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. It’s likely that the host of your web services uses Apache or other web management software – that also includes the use of OpenSSL. R/com Studios uses Apache on our servers, as an example.
Many online web services use TLS to identify themselves to the user (you) and to protect an individual’s privacy and transactions. You might have networked appliances with logins secured via the existing implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.
What versions of OpenSSL are affected?
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
NOTE: OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
What operating systems are known to be affected?
Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:
- Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
- Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
- CentOS 6.5, OpenSSL 1.0.1e-15
- Fedora 18, OpenSSL 1.0.1e-4
- OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
- FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013
- NetBSD 5.0.2 (OpenSSL 1.0.1e)
- OpenSUSE 12.2 (OpenSSL 1.0.1c)
Operating system distribution with versions that are not vulnerable:
- Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
- SUSE Linux Enterprise Server
- FreeBSD 8.4 – OpenSSL 0.9.8y 5 Feb 2013
- FreeBSD 9.2 – OpenSSL 0.9.8y 5 Feb 2013
- FreeBSD Ports – OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
NOTE: Mac OS X Server may or may not be vulnerable. Mac OS X Mavericks uses OpenSSL 0.9.8y, and Mountain Lion has 0.9.8r, neither of which is vulnerable to Heartbleed. The most recent release of Safari is not affected, either.
What should I do?
First of all, look for updates to any software you use. Read about options. Install if you have confidence to do so.
For sites that you use relative to the use of a user ID and password, change them. Change them today. Then, plan on changing them again in 15 days. Hopefully, fixes will be distributed and people will be updating their servers, access, and versions of OpenSSL by then.
Test the sites you own, visit, or have concerns about. It’s easy: http://filippo.io/Heartbleed/
Whatever you do, don’t sit and watch. Doing nothing is inviting disaster. It can happen to you.
R/com has updated all of our servers to eliminate risk. We may be in touch with specific clients regarding this issue. If you have questions, don’t hesitate to contact us.