 |
| Heart Bleed Bug |
Heart Bleed Bug - SSL vulnerability presents significant concerns for users and major challenges for site operators. This article presents a series of steps server and site owners should carry out as soon as possible to help protect the public.
1. Update Your Servers
If you haven't yet, update any and all of your systems that use OpenSSL for TLS encrypted communications. This includes most web servers, load balancers, cache servers, mail servers, messaging and chat servers, VPN servers, and file servers, especially those running on Linux, Unix, BSD, Mac OS X, or Cygwin.
The flaw is fixed in OpenSSL 1.0.1g. If your operating system has not yet released an updated package, download openssl-1.0.1g.tar.gz directly from https://www.openssl.org/source/ and follow the instructions in the INSTALL text file to compile the new version locally.
When in doubt, reboot the entire server if possible.
If you haven't updated your systems yet, stop reading and do it now.
2. Test Your Servers
It's important to verify that the hole has been closed, especially if you have multiple servers and services to stitch up. The SSL Server Test from Qualys SSL Labs will let you know if your web server remains vulnerable. If you have servers running on other ports to test, or STARTTLS mail servers, you can try the hb-test.py script.
3. Be Safer Next Time
Use a password vault, use strong passwords, change them regularly, and don't reuse them.
Practice least authority for certificates, too. If you don't need to give everyone root access to every server, you probably don't need to give every server a certificate for *.example.com.
4. Consider Rekeying Your Servers
One of the worst things about the Heartbleed vulnerability is that it makes it theoretically possible for an attacker to recover your server's private key. Key theft is a terrible attack because it tends to be undetectable by you, the server operator. If you run a server that intelligence agencies are likely to attack, this is a serious problem.
Some will allow you to regenerate in one step. If you are given the option during the certificate regeneration process, it's a good idea to create a .csr file (Certificate Signing Request) and private key locally on your server using the openssl command.
5. Consider Changing Passwords
Unlike private key compromises, Heartbleed leakage of recently-used passwords from server processes linked to OpenSSL appears to have been quite common. This means you should perform risk assessment and determine which categories of passwords on your servers and services may need immediate resets, user-reset-on-next-login, or advisories suggesting resets. You should determine which passwords are of sufficient value to deserve precautionary resets, and perform these after the steps above, in order to offer the new passwords proper protection. (If you've decided to rekey because of a concern about private key exposure, that is another reason to change users' passwords.)
6. Update Your Users
7. Turn on Perfect Forward Secrecy
