What To Do About The Heartbleed OpenSSL Security Bug

There has been a discovery by researchers that has brought to light a serious vulnerability in open-source software called OpenSSL that’s widely used to encrypt web communications. Known as “Heartbleed,” the bug can give hackers access to personal data like credit card numbers, usernames, passwords, and, perhaps most importantly, cryptographic keys—which can allow hackers to impersonate or monitor a server. Yahoo Mail was one of the big name sites that admitted that they were vulnerable to attack. Yahoo has since patched all of their mail servers along with other main Yahoo sites such as Yahoo Search, Finance, Sports, Flickr and Tumblr. LastPass also uses OpenSSL and was vulnerable (until this morning), but due to extra encryption that happens on your machine, LastPass informed users that all their data is still safe. Other sites impacted include 

Codenomicon

Some experts have already called Heartbleed the worst bug yet, something that should worry everyone who frequents the Internet or does business on it. Even the U.S. government’s Department of Homeland Security advised businesses on Tuesday to review their servers to see if they were using vulnerable versions of OpenSSL. It appears that the bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

What versions of the OpenSSL are affected?

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

The vulnerability in encryption software OpenSSL was discovered by Google researcher Neel Mehta and the security firm Codenomicon. They gave the bug—officially known as CVE-2014-0160—the appropriately evocative and frightening name Heartbleed. It appears that there are updates already available to address the vulnerability in OpenSSL.

It is estimated that over 66% of the web uses OpenSSL, so you might want to hold off on doing any online banking until companies have had time to update their servers. You can test certain sites using this tool, though it won’t answer whether a site was previously vulnerable at any point in the past. You can find a list of possibly affected sites here, but keep in mind they may have been vulnerable sometime in the past two years.

Print
  • Anonymous

    ironic post when this very site is shown to be still vulnerable to Heartbleed…

    • Ben Young

      Which particular login did you find to be vulnerable? Lastpass didn’t bring up any of my LR logins when I checked them.

      • Nathan Kirsch

        You are correct, but it isn’t actually being used for anything. The sites server OS will be patched soon as it was deemed not critical by the server admin.

        • Ed

          And hooray for a miscommunication. Either way, no this site isnt vulnerable anymore as I finally had a chance to disable SSL temporarily until I actually get time to patch. Original intent was that it isnt being used for anything critical that would need to be left enabled, either way it is no longer enabled putting this to rest.

        • Nathan Kirsch

          It has been patched and disabled… Best of both worlds I guess.

  • basroil

    It’s a good thing I’m one of those paranoid guys who encrypts all data transfers twice and keeps all passwords offline then… How the hell did they miss that big of a bug in something everyone uses?

    And so much for the “open source is safer” crap…

    • Anonymous

      If you double encrypt and dont actually understand WHY “open source is safer” its pretty obvious you have no clue to begin with but ill answer it.

      They missed it because it was exactly what you called it, a BUG. Do you think ‘they’ want bugs? If everyone could code with 0 bugs dont you think they would? Do you realize that most companies with a bug this size wouldnt publish anything and might not have a patch for months, or in a few cases its been years with no patch for known bugs? Open source did exactly what it is great for, finding a problem and having a quick resolution via patch.

      No system is 100% safe, not even air-gapped ones…