When security researchers this week announced they had discovered a serious flaw in OpenSSL, which is used by Web servers to encrypt sensitive communications between the site and users, including things such as credit card numbers, user IDs and passwords, emergency rooms around the Internet began calling in every specialist they could find to figure out how to best treat the new vulnerability, known as Heartbleed.
And rightfully so. OpenSSL is used by more than two-thirds of the websites managed by some of the biggest companies and government agencies in the world, and a wide variety of smaller enterprises that claim to communicate securely with customers and clients online. And more important, the flaw that has opened up these websites to compromise reportedly has existed since December 2011 and leaves no trace when a hacker exploits your network.
So, in an effort to bring some order to the emergency room triage process to treat Heartbleed, FedScoop presents a collection of the best, common-sense advice for those worried about losing the lifeblood of their enterprise to a bleeding heart.
1. If you are using Apache Web server or ignx and OpenSSL, deploy the patch. And I don’t mean think about it, plan it or study it. I mean download it and get it out to your enterprise now. Here’s the link.
2. What’s affected and how do you know if you are at risk? Here’s a quick rundown of what’s affected and what isn’t.
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
How do you know if you are at risk? Try this online Heartbleed test.
3. When a site patches the vulnerability, it has to reissue site certificates. As a user, what does this mean for you? What should you do?
Well, first check your favorite sites in the tool mentioned in #2 above. If they are not fixed yet, try to avoid using their services until it’s been verified that the patch has been deployed.
Then, to make sure your browser will not accept old certificates, go to the Options tab in your Web browser, usually under the Advanced tab, and click on Certificates (in Google Chrome, it’s listed under HTTPS/SSL). Check the box that says “Check for server certificate revocation.”
If you are using Firefox, here’s where to find the certificate revocation option.
4. When you are certain your favorite site has been patched, change your password. Don’t change your password if you think or know the site remains vulnerable to Heartbleed. Wait until it has been patched.
5. Work fast, but don’t panic. No patient ever walked out of an emergency room staffed by panicking doctors.