1 Star2 Stars3 Stars4 Stars5 Stars (9 votes, average: 4.33 out of 5)
Loading...Loading...

Protection Guideline to Protect Yourself from “Heart Bleed” OpenSSL Bug

April 11, 2014 James Labonte

What is Heartbleed?

heartbleed Heartbleed is a security concern for users of OpenSSL, a widely-used opensource cryptographic software library. The error allows anyone to read the memory of servers supposedly protected by SSL, and reveals the cryptographic keys that allow messages to be decoded, the credentials of users, and the content. Once the keys are compromised, attackers can look at any communications with impunity, completely undetected. However, it is important to note that this is a vulnerability of OpenSSL software, NOT a flaw with SSL or the certificates themselves.

A serious filled vulnerability in the OpenSSL cryptographic library affects around 17.5% of SSL web servers which use certificates issued by trusted certificate authorities, as per a recent Netcraft survey. This accounts for around a half a million certificates. Already commonly known as the Heartbleed bug, a missing bounds check in the handling of the TLS heartbeat extension can allow remote attackers to view up to 64 kilobytes of memory on an affected server.

This could allow attackers to retrieve private keys and ultimately decrypt the server’s encrypted traffic or even impersonate the server. These certificates are consequently vulnerable to being spoofed (through private key disclosure), allowing an attacker to impersonate the affected websites without raising any browser warnings.
TLSheratbleed

Please note that a small percentage of Microsoft web servers also appear to support the TLS heartbeat extension; these are actually likely to be vulnerable Linux machines acting as reverse proxy frontends to Windows servers.

Support for heartbeats was added to OpenSSL 1.0.1 (released in 2012) by Robin Seggelmann, who also coauthored the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension RFC. The new code was committed to OpenSSL’s git repository just before midnight on New Year’s Eve 2011.
OpenSSL’s security advisory states that only versions 1.0.1 and 1.0.2-beta are affected, including 1.0.1f and 1.0.2-beta1. The vulnerability has been fixed in OpenSSL 1.0.1g, and users who are unable to upgrade immediately can disable heartbeat support by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.

How to Protect Yourself from the Heartbleed Bug

First, check which sites are affected and identify the ones that you use. If you don’t want to read through the long list of websites with the security flaw, the password security firm LastPass has set up a
Heartbleed Checker, which lets you enter the URL of any website to check its vulnerability to the bug and if the site has issued a patch.

Here are some websites that we recommend changing passwords for immediately:

WebsiteWas it affected?Is there a patch?Do you need to change your password?
FacebookUnclearYesYes
What Facebook Officials Said: “We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed. We haven’t detected any signs of suspicious account activity, but we encourage people to … set up a unique password.”
TumblrYesYesYes
What Tumblr Officials Said: “We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue.”
TwitterUnclearUnclearYes
What Twitter Officials Said: Twitter has not yet responded to a request for comment.
GoogleYesYesYes
What Google Officials Said: “We have assessed the SSL vulnerability and applied patches to key Google services.” Search, Gmail, YouTube, Wallet, Play, Apps and App Engine were affected; Google Chrome and Chrome OS were not. Google said users do not need to change their passwords, but because of the previous vulnerability, better safe than sorry.
YahooYesYesYes
What Yahoo Officials Said: “As soon as we became aware of the issue, we began working to fix it… and we are working to implement the fix across the rest of our sites right now.” Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr were patched. More patches to come, Yahoo says.
GmailYesYesYes
What Gmail Officials Said: “We have assessed the SSL vulnerability and applied patches to key Google services.” Google said users do not need to change their passwords, but because of the previous vulnerability, better safe than sorry.
Yahoo MailYesYesYes
What Yahoo Mail Officials Said: “As soon as we became aware of the issue, we began working to fix it… and we are working to implement the fix across the rest of our sites right now.”
Amazon Web Services (for website operators)YesYesYes
What Amazon Officials Said: Most services were unaffected or Amazon was already able to apply mitigations. Elastic Load Balancing, Amazon EC2, Amazon Linux AMI, Red Hat Enterprise Linux, Ubuntu, AWS OpsWorks, AWS Elastic Beanstalk and Amazon CloudFront were patched.
DropboxYesYesYes
What Dropbox Officials Said: On Twitter: “We’ve patched all of our user-facing services & will continue to work to make sure your stuff is always safe.”
LastPassYesYesYes
What LastPass Officials Said: “Though LastPass employs OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys.”
WunderlistYesYesYes
What Wunderlist Officials Said: “You’ll have to simply log back into Wunderlist. We also strongly recommend that you reset your password for Wunderlist.”

Lastly – as always – make sure to keep an eye on your sensitive online accounts, especially banking and email, for suspicious activity, especially for the next week or so.

Comments are closed.