So it’s been a little over 24 hours since the Heartbleed Bug and associated fixes were announced. If you haven’t checked your SSL enabled site yet, I highly recommend that you do so. The test is available at SSL Lab’s site: Qualys SSL Labs SSL Tester. I highly recommend you give it a shot. If you don’t pass, the site will give you recommendations on how to fix it. I’ve been testing our web-facing equipment at work all morning, and the results are largely decent, with a few minor exceptions.
That being said, the question of the hour becomes: how much damage was done?
The answer to this question is largely unknown. If you haven’t been following the Heartbleed Bug I will try and explain it as much as I understand it.
Thanks to Nick, I understand that the bug allowed a remote attacker to remotely read data from server memory. This attack can be repeated many times, allowing an attacker to basically dump the webserver memory completely. Things like passwords, usernames, and security keys could be seen. Usernames and passwords are one thing: the user can change them almost at will (and a lot of people, including myself, will be changing ALL their passwords over the next few days) and is largely not the problem.
The real problems lay with the security keys for SSL certificates. If the security key for a SSL certificate was compromised before the bug patch was deployed to that server, then the server must still be considered compromised until they regenerate their SSL certificates (which I will also be doing this week, once I get Apache upgraded from 2.2.22 to 2.4.x). If the attacker has the security keys for the SSL certificates, than the encryption that the SSL certificate services provides are basically null and void: the attacker can decrypt data fairly easily.
So at the end of the day, the question becomes: how bad is this?
The answer is: REALLY, REALLY, REALLY (potentially) BAD
- For the love of god, if you haven’t updated your SSL provider yet, please do so. The attack information has been published for over 24 hours. Attacks will start becoming prevalent VERY soon.
- If you do any sort of e-commerce now, or with the potential to do it any time soon (or if you even have users who login to your pages to post content, etc) then REGENERATE YOUR SSL CERTIFICATES WITH NEW KEYS. Otherwise, your site integrity is basically useless.
- Change your passwords for critical sites. Things like Google accounts, Bank accounts, Shopping accounts are all big targets. Do you want unexpected purchases and charges on your cards? I don’t think so.
I do not wish to seem alarmist or even crazy, but cyber security is a BIG DEAL and we need to pay attention to it.
Relevant sites for extra reading: