Over the course of the last week, the biggest story in the IT security landscape has been the emergence of the so-called Heartbleed bug. While some vendors have issued patches for the flaw, the risk is still significant.
The Heartbleed flaw is technically a software vulnerability in the open-source OpenSSL cryptographic library’s heartbeat function. OpenSSL is important because it is widely deployed on Linux servers and embedded devices around the world. The flaw can potentially enable an attacker to intercept and decrypt data sent to a vulnerable platform. The OpenSSL project released a patch for the flaw on April 7 — but that doesn’t mean everyone has updated, or that updates are even available for all platforms.
All Linux vendors have made new OpenSSL packages available for their users. However, it is incumbent upon server administrators to actually update their servers. And end-users can take mitigation steps to reduce the risk as well. Here are some risk reduction steps both admins and end-users can take to lower the Heartbleed threat.
Heartbleed Advice for Server Admins, Site Owners
Patch Your Servers. If you run a Linux Web server, make sure that you have updated for all of the latest patches.
Regenerate Certificates. An attacker may have already gained the server keys for SSL, rendering existing SSL certificates at risk. So those certificates should be regenerated.
Advise Users to Update Passwords. A challenge with the Heartbleed bug is that it’s difficult to identify what information might have been taken. Because of this, server admins should require users to update passwords. This might be a good time to look at tools that can help enforce password policies.
Enable Perfect Forward Secrecy. Perfect Forward Secrecy (PFS) is a technique for SSL that creates unique encryption keys for each session. As such, if an attacker got access to a key, they could only decrypt a single session and not all sessions made from a given server. You might want to check out this QuinStreet eSeminar on Perfect Forward Secrecy.
Review Your SSL Implementation. According to SSL Pulse statistics for April 5 (before the Heartbleed flaw became public), only 25.3 percent of sites scanned for SSL were deploying it correctly. Given that, this is a good time for admins to revisit their use of SSL and look for any weaknesses that may need to be addressed. This QuinStreet eSeminar offers tips on Correctly Implementing SSL on a Website.
Heartbleed Advice for Internet Users
Identify Risky Sites. There are multiple tools to help end-users simply identify sites that have not yet updated for the Heartbleed bug, including a Heartbleed Check from Norton, the LastPass Heartbleed Checker and this one. Google Chrome users can also benefit from the the Chromebleed extension. And Netcraft has a Heartbleed detection tool available for Firefox and Chrome.
Avoid Risky Sites. Users can always ask sites to update, but the best advice is to avoid sites that are still at risk, at least insofar as sharing any passwords or personally identifiable information.
Change Your Passwords. If the sites and services have already updated, it’s a good idea to change your password to limit risk. Users should not update passwords, however, until they confirm sites have updated.
Use Two-Factor Authentication. Two-factor authentication, which requires a randomly generated second factor (such as an SMS message, for example) to log into a website reduces the risk of losing a single password.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.