Heartbleed Security Threat
Resources
http://heartbleed.com/ - lots of technical information about Heartbleed
Latest Advice from Symantec - for users of Symantec, GeoTrust, Thawte, VeriSign and RapidSSL certificates
Latest Advice from Comodo - for users of Comodo SSL certificates
Test your Server for Heartbleed Vulnerability
http://filippo.io/Heartbleed/ - a clever programmer has develeoped an online test to tell you if your server is vulnerable to Heartbleed
Advice for Businesses
- IIS users, unless you use OpenSSL 1.0.1 through 1.0.1f, are not affected
- Apache and Nginx users, and any other configuration that uses OpenSSL 1.0.1 through 1.0.1f are affected
- If you are using OpenSSL 1.0.1 through 1.0.1f you must update to the latest, fixed version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension
-
Once you have fixed your version of OpenSSL, your systems and data are still vulnerable if hackers managed to obtain your SSL Private Key before you applied the fix.
The only way to remove this ongoing vulnerability is to replace your SSL certificate with one generated from a new CSR which will automatically provide a new Private Key.
Until you do, the hackers will be able to decrypt all your website traffic - current and, potentially, historical. What to do:
- Send us a new CSR and we will re-issue your certificate - free of charge
- If we generated the original CSR for you, please contact us to arrange a re-issue
- Regardless of the above, if you believe your web server certificate may have been compromised or stolen as a result of any exploitation, please contact us for advice
- In summary, if you think your server may have been compromised, you should in this order:
- Suspend access for end-users
- Fix OpenSSL
- Install a re-issued SSL certificate (which will have a new Private Key)
- Reset all end-user passwords - and any other security data which may have been compromised
- Audit your systems
- Finally, and as a best practice, you should publish a statement on your website stating whether or not you believe your systems were compromised by this vulnerablility and advising your users of what steps they might need to take to protect themselves
Advice for Consumers
- Not all vendors were/are vulnerable to Heartbleed but you should assume that they are until you are sure that their website is safe.
- Do not enter any personal or private information, or passwords etc. until or unless you know that a website is safe
- Be aware that your data, passwords, etc. could already have been seen by a third party if you previously used a service provider while they were vulnerable
- Monitor any notices from the vendors you use. If a vendor tells to you that you should change your passwords, you should do so as soon as possible.
-
Watch out for potential phishing emails from attackers asking you to update your password.
They will try to direct you to a website that impersonates the real website
- Make sure that any links you follow actually take you to the real website
- Double-check the domain name in the address bar
- If you see a padlock in the address bar click on it and check that the certificate details match the website
- If you don't see a padlock in the address bar, be extra vigilant
- Look for a statement from the vendor that says either they didn't suffer from the vulnerability or that it is fixed and you are safe to proceed. If they were vulnerable for any period you will, as an absolute minimum, need to change your passwords on that website.
- Stick to reputable websites and services. They are most likely to have immediately addressed the vulnerability
- Monitor your bank and credit card statements to check for any unusual transactions
