A major vulnerability (CVE-2014-0160) has been found in OpenSSL, which is the software that many people use to make secure, encrypted connections to websites. A security problem has been found that allows an attacker to read a small portion of the memory of the computer using OpenSSL. This could enable an attacker to see things that should be kept confidential, such as private keys, username and passwords. Further, if a site’s private key was exposed to an attacker, they could use it to impersonate your site or to decrypt any information in transit between your site and its visitors.
Unfortunately, there’s no way to tell if a particular site has been attacked as no trace is left in any log file. Lots of government services and sites use OpenSSL, including everything we host. If you’re a client of ours, you should hopefully have had an email this morning with some more information. In any case, there are some things that you now consider doing, if you operate or are responsible for a website which supports HTTPS connections.
- Check if you are vulnerable
Versions 1.0.1 through 1.0.1f are vulnerable. 1.0.1g is not vulnerable, and neither are the 1.0.0 or 0.9.8 branches. If you’re not running a vulnerable version, you don’t have anything to worry about.
- Upgrade or patch OpenSSL to version 1.0.1g
If you are vulnerable, you need to update as quickly as possible in order to prevent the possibility of any further attack.
- Revoke and replace your SSL certificates
Because your private keys could have been exposed, you should generate new private keys and SSL certificates, and revoke your existing certificates. If your private keys were exposed and you don’t do this, an attacker could still decrypt all your encrypted traffic, even if you upgrade OpenSSL to a fixed version.
- Change your passwords and delete affected cookies
You should log out and then change your account passwords on any affected service. In most cases, you’ll be able to delete relevant cookies by logging out and then back in.
You can find out much more about Heartbleed on the heartbleed.com, which has been set up to provide more information. You can also use this tool to check whether your site is vulnerable to Heartbleed.
If your site is managed or hosted by a supplier or some other third party, you should contact them immediately to find out if, how and when they’ll be addressing these issues.
If you’re a client of ours and you have any questions, please send an email to firstname.lastname@example.org, and we’ll be happy to help.