How to recover from Heartbleed

How to recover from Heartbleed

Summary: For companies, installing patched OpenSSL software is just the first step in fixing the Heartbleed security problem. End users face a long haul, too. A lot of work needs to be done before we're safe from Heartbleed.

SHARE:

Here's the good news: The patches for the OpenSSL Heartbleed security hole are now available for all major operating systems. Here's the bad news: Simply installing the patch isn't enough to protect your servers and users from attackers. Here's the worst news: All your users—yes all of them—are going to need to reset every last one of their passwords.

heartbleed

You may want to ignore this problem. You don't dare do so. So long as you're running unpatched OpenSSL 1.01 or 1.02beta it will be  trivial for hackers to crack your security systems and access both your own server and your users information. Adding insult to injury, this hole has existed on any system using the latest version of OpenSSL since early 2012. Other SSL implementations, such as Microsoft's Azure SSL, are not affected by this bug.

This means that if you've been running a "secure" Apache or NGNIX Web server--about two-thirds of all Web sites--your site, potentially, has been open to attack for years. Indeed, if you've been running any network services that use OpenSSL for security, such as the Tor secure network, the Goldbug secure instant messenger, or many e-mail systems, including Yahoo Mail, it's possible that your information has been being silently harvested by attackers.

I doubt there have been massive data raids by criminals, though, simply because I think we'd all notice if billions of dollars of fake credit-card transactions started appearing on our bills. Now, what the NSA has been doing with SSL vulnerabilities is, of course, another question entirely.

But, now that everyone knows that the hole is out there, and that it's as wide-open as an interstate highway at 2 in the morning, you dare not wait a minute to update your OpenSSL software. But, after you're patched your servers, you're still not done.

You'll also need to revoke your old SSL digital certificate from your Certificate Authority (CA) and get a new one. Without new certificates, your old keys — which have may have been swiped in the last few days — can still be used to walk right through your brand new OpenSSL. Unless you change the certificate keys, it would be like you replaced your old lock with a brand new one... that takes the same old key.

Once that's done, you'll need to tell your users and customers that it's time to change their passwords. They're going to love that, but there's no choice in the matter. There's a real chance that while the hole was open, their passwords were swiped and you can't afford to let them continue to use their old ones.

If you're a user, you don't want to change your password yet. Wait until you hear from your service providers—whether it's an e-commerce site, your bank, or an e-mail service provider, before coming up with a new one. Oh, and by the way, for pity's sake pick a good password!

You can also check any particular site with the Heartbleed test to see if they've patched the hole yet. Major sites, such as Yahoo, have already fixed the main problem, but smaller sites will lag behind the big ones. Be aware, however, that this test site is currently vastly overloaded and it may take a while before you get a result from it. 

For a good list of what sites, services and companies have already addressed the main security hole, check out the Internet Storm Center's Heartbleed vendor notifications list.

If a site shows up as still having the hole do not—Do Not—make any transactions through it. You would be just asking to be robbed.

Finally, I hate to say it, but don't expect this problem to go away anytime soon. As Jeff Forristal the CTO of Bluebox Security, said in a statement, "OpenSSL is extremely pervasive on all manners of devices, systems, and servers; it is going to take the ecosystem significant time to get everything updated, and we will be looking at a long tail situation that could easily extend into years."

Related Stories:

Topics: Security, Networking, Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

76 comments
Log in or register to join the discussion
  • Now that operating systems

    Have pushed fixes to their repositories, maybe companies like Synology can follow this example, their very latest DSM 5.somerthing, dated 26/3 is vulnerable.

    It would surprise how many unsuspecting customers have their nas ssl interface exposed so they can fire up torrents from work :)
    sjaak327
    • Proprietary software destroys FOSS again

      I have said over and over again this "open source for many eyes to review" approach is simply hype and would not work, and proven right once more.

      In a proprietary firm you hire people to review and verify the code. If they do well they are rewarded. If not, they are fired so the guys have the vested interest to do a good job, which leads to quality software - the capitalist way (and the right way).

      In the FOSS world, there's no incentive to review other people's code no matter how open it is. People don't even have time reviewing own code and now you want them to put in a ton of effort to meticulously review other people's code??!! Come on don't kid yourself. When the incentive is not there all you get is some half-hearted review that is TANTAMOUNT TO NO REVIEW so there goes the quality - the socialist way (and the wrong way).

      Some argues, "But, but, but, they detected the bug after a review now." Riiiiiiiight.... Such detection is too late since the hole has spread world wide on these X-servers. It's an epic fail no matter how you spin it.
      LBiege
      • You make reasonable points, though err in your conclusion

        You're actually right that even though the source code is open and peer reviewable, that doesn't mean it actually gets reviewed by anyone. Further, it takes a really thorough review to reveal exploits. In fact, one could argue that criminals seeking to find new exploits might be the ones doing the most thorough review of certain open source projects ;p.

        However, when it comes to the coding, financial incentives aren't always that effective. Good developers, whether commercial or open source, are self-motivated because they have a passion for programming, not for making money.

        The bottom line: Exploits happen to both commercial and F/OSS software. That's where your argument falters. The two aren't related.
        jcollake
        • You also make a good point, but you also err in your conclusion.....

          "However, when it comes to the coding, financial incentives aren't always that effective. Good developers, whether commercial or open source, are self-motivated because they have a passion for programming, not for making money"

          This is true to a point but the majority of people writing code for a living got into it for the right reasons. I don't know any programmers who set out to do it for greed or big $$. Nah, that doesn't fly. In the slice of the world I live in, which is in a country that supports capitalism, the majority of programmers and developers are in it because they were drawn to it as their profession. In many cases they are supporting a family or plan to at some point. It's not about the $$ but more about being the best they can for themselves and often for their family.
          So with that being pretty much equal on either side, there is another list of things beyond financial compensation which tend to make a proprietary software company's products better:
          * Programmers who work for a company are vetted and selected for their talents. You just don't find hobbyists working on development projects at software companies.

          * There is most often also access to training and further education through work which both is an incentive and builds their knowledgebase.

          * They are probably healthier because they have health insurance.

          * They work directly with other professional programmers so the collaboration is not fragmented as it can be with OSS.

          I think those reasons and probably many I didn't think to include are why proprietary software is more than likely going to be your best bet in the long run. I believe your conclusion didn't take into account everything that is in play on both sides.
          I guess I would also say the proprietary side doesn't tend to have as many extremeists in my opinion. You don't typically see proprietary programmers on crusades against other's way of living and the systems they choose to use. That can't be healthy in the long term to harbor much ill will.
          xuniL_z
  • Rename the heartbleed to a more accurate ignorantProgrammers bug

    Pathetic programmers making the criminals job easy and everyone else pays for their utter incompetence.

    Programmers might not be the dumbest beings in the universe..... but they seem to be closely related.
    Reality Bites
    • Simple fix. Ban Open source from servers that need to be secure.

      MS gets pounded by the socialist software licensing backers, many over the years howling for the End of proprietary software, but at the end of the day, proprietary software is much better. It does not suffer from the parity that socialist software licensing creates, which in turn breeds mediocrity.
      xuniL_z
      • Please elaborate

        We're not talking about state-owned monopolies here, but voluntary cooperative efforts, to include participation of for-profit businesses that intend to use the code developed themselves to support their money making activities.
        John L. Ries
      • re:

        Hey, don't be besmirching the good name of Socialism by linking it to the FOSS community. I've always felt that the motivation of FOSS hackers was to get recognition from other would be software developers who find themselves un- or under- employed.
        Sir Name
        • And why shouldn't unemployed programmers stay active?

          Or even amateurs, if they produce good stuff? Are currently employed professionals so insecure that they can't stand the competition? Do professional auto mechanics feel threatened by do-it-yourselfers, or do they lobby school districts to abolish auto shop classes?
          John L. Ries
          • re:

            They should. They should too. No. There aren't enough auto repair DIYers these days to even count, no but they actively discourage anyone new trying to enter the field.
            Sir Name
          • No, but....

            Those doing it for a living, to support themselves and often their families have a lot more riding on getting it right than a hobbist.
            That is what makes the biggest difference.
            xuniL_z
          • I've said this before...

            ...and you've probably even seen me say it: Professionals worthy of the name have nothing to fear from amateurs, volunteers, or do-it-yourselfers. If your services aren't sufficiently superior to what people can do for themselves and each other free of charge, then you don't deserve to be a professional. Thus the goal of proprietary software developers is to produce software worth paying for; not to restrict the availability of open source.

            By the same token, professional musicians worthy of the name have nothing to fear from the amateurs who haunt community bands and orchestras; nor do farmers and grocers have anything to fear from home gardeners (or if they do, they don't deserve to be in business).
            John L. Ries
          • I think the topic has changed from the problem of OSS...

            being the code used by the masses to why are professionals threatened by hobbyists?
            How did we get there? I don't know any professionals threatened by novices.
            That was never the point.
            Although now that you bring that up, it's more of a fear of OSS and socialism in general than who wrote it. We have Google, working on open source software it purchased to have an OS, that due to it's low cost, not quality, has saturated the market.
            Aren't you the one that was posting the "Gloats" about this and how OSS has "taken over"? (Yeah, your OpenSSL has taken over for sure. )
            It's another disaster waiting to happen.
            I will never knowingly use any Google service, period. I recall the heat MS took just from WU alone on these forums, it was enough to last a lifetime and for decades we heard the evils of MS and "Big Brother"....ad naseaum.
            Now Google makes 95+ of it's income from taking all of your data it can get it's claws into and the same people are fine with it. This goes back to an earlier post I made about extremists and the lengths they will go to for a technology "ideology". It's BS in short and exposes hypocrites and their agendas which were already quite thinnly veiled anyway.
            What about those awful dangers of MS controlling the OEMs? Another endless firestorm from extremists. Now Google, thanks to Skyhook forcing it, has been made to release emails showing their real meddle. They describe how Google has forced OEMs to remain compatible with Google services. Samsung stopped and pulled back a full shipment of devices using Skyhook technology, which Samsung said was superior, because Google ordered them to do it. They had no choice, apparently this "open source" ecosystem doesn't extend outside of Google Play and Google services? Wow.
            I'm betting like the old Google Desktop, the older versions of Android that you can download are not nearly the complete Gold package that Google "licenses".
            BTW, I'm fine with Google making all the money it can. In fact I don't really have an issue, it's really just the amusement. I'm watching all of the open source "men" suddenly doing a 180 on their "till the death" ideology and there they stand in stark contrast, donned in their figurative dresses and lipstick.
            xuniL_z
          • I don't know who you were responding to...

            ...but it's not me. I've never gloated about open source taking over the world, or anything of the sort. And I've stated any number of times that I don't think that proprietary software is in any way, shape, or form immoral (but businesses who can't do better than their prospective customers can do for themselves or each other don't deserve to be in business). What I do appreciate is the fact that it's brought some badly needed competition to the software market and that it has allowed me and other UNIX users to bring UNIX-like systems home with us from work. And while I've been amused at MS' War on Google (honestly, I don't think Google is anywhere close to being a threat to civilization as we know it), I'm not particularly attached to Google, even though I'm an Android user (I don't even use Google for search).

            So I don't have a clue what you're talking about or who you're saying it to.
            John L. Ries
          • John, I profusely apologize, I recall who it was.....

            I don't know how I got you mixed up with the person I was thinking of and for that I am truly and profoundly sorry. I don't know why I jumped the gun like that.

            His first name might be Joe and I won't go beyond that other than to say he may use something red in color as his graphic. I know that is the person and the remarks were made that I referred to, but I'll not go further until/unless I can find the posts.
            Again, I am truly sorry and don't know how I mixed you up. You give non biased, intelligent and reasonable posts.
            xuniL_z
          • That may be... but they still don't get it right.

            Even the "best" still allow a stupid buffer overflow to bypass their security --- even 5 year olds can do it.
            jessepollard
          • re:

            Just as an aside, I have a consulting business with a partner in addition to my day job as a software developer and architect. We've individually made many tens of thousands of dollars each of the last few years mostly cleaning up the messes made by the hackers who came before us on various clients' LOB software. We even devote a fair amount of time in our day jobs to cleaning up the mess made by one previous hacker there. He was truly an Army of One and spawned several new entries into our work lexicon (i.e. "Man, that's just Erik-ed up!" or "That so awful that it's positively Skaalheimian!").

            So I can almost wholeheartedly recommend amateur developers to just about anyone. The almost is because some companies see this poor quality work and think that the solution is to send the work to India. Then there is a lag time period between when they do that and they realize the results are even worse and more expensive. We have yet to reap the benefits from that work, but any day now...
            Sir Name
      • xuniL_z: "socialist software licensing backers"

        Are you thinking of the GPL? Because the OpenSSL license is a BSD-style license, which is considerably less restrictive than the GPL. Have a look:

        http://www.openssl.org/source/license.html

        And, given that Microsoft is all in with Apache Hadoop with its Apache 2.0 license, are you recommending that Microsoft breathe life back into its own proprietary development effort which it shut down in favor of using Hadoop?

        http://www.zdnet.com/blog/microsoft/microsoft-drops-dryad-puts-its-big-data-bets-on-hadoop/11226
        "Just a month after insisting there was still a place for its own Hadoop competitor, Microsoft officials have decided to discontinue work on LINQ to HPC, codenamed "Dryad."

        If open source software is socialist, then proprietary software is dictatorial.
        Rabid Howler Monkey
        • RHM, yes I know

          what licensing openssl uses. (who uses ssl anyway? SSH is all I use)
          I don't care what MSFT is doing, it doesn't mean anything about open source and the ability for anyone to make changes to critical software w/o sufficient review and QA.
          xuniL_z
          • And with that one comment....

            ...you immediately prove that you are in over your head and have no idea what the hell you're even talking about...

            "(who uses ssl anyway? SSH is all I use)"

            ...sigh
            daftkey