When I caught a quick glance at a “Heartbleed” mention on Tuesday, all I thought was, “Oh great, another vulnerability”. Then, I brushed it off. Of course, now it’s well-known that it’s not just “another vulnerability”; it’s genuinely severe, and one that all server admins need to look into, and potentially deal with. Fortunately, Techgage’s servers were unaffected.
In effect, Heartbleed is named after a heartbeat function in OpenSSL that’s used to monitor whether or not a user is still active. Exploiting this feature, which is said to be simple, will return chunks of data stored in a server’s RAM, 64KB at a time. What’s stored in these chunks are usernames, encryption keys, and other information. With enough of this information, accounts could be breached very easily, and what makes this particular bug so severe is the fact that 2/3rds of the world’s servers run OpenSSL.
The fortunate thing is that not all OpenSSL installs are affected:
- OpenSSL 1.0.2-beta (will be fixed in upcoming 1.0.2-beta2)
- OpenSSL 1.0.1 – OpenSSL 1.0.1f (inclusive, not including OpenSSL 1.0.1g)
- OpenSSL 1.0.0 (and 1.0.0 branch releases) is not vulnerable
- OpenSSL 0.9.8 (and 0.9.8 branch releases) is not vulnerable
So, those running 1.0.0 or earlier are fine; those running newer versions need to take note. Yahoo! was affected to a serious degree, and even Google had to patch a number of its services up. This is about as widespread a vulnerability as one can get, and if you own a website and want to see if you’re vulnerable, you can take advantage of a free test. If for some reason the tool is not able to tell you anything, you’ll need to log into your server and check up on what OpenSSL version is running, and then take action accordingly.
Heartbleed doesn’t just affect servers, it affects users of those servers. So, it’s worth changing your passwords on sites that have been affected, or haven’t even mentioned about being affected (because maybe the server operator is unaware of the bug, and as such hasn’t patched the machine). Proceed with caution, and as always, never use the same password on multiple sites.
With information of Heartbleed out there, saturating the Web, let’s hope we don’t have to follow-up about some of the damage it’s caused. There are still many vulnerable sites out there.