How to recover from Heartbleed

For companies, installing patched OpenSSL software is just the first step in fixing the Heartbleed security problem. End users face a long haul, too. A lot of work needs to be done before we're safe from Heartbleed.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Here's the good news: The patches for the OpenSSL Heartbleed security hole are now available for all major operating systems. Here's the bad news: Simply installing the patch isn't enough to protect your servers and users from attackers. Here's the worst news: All your users—yes all of them—are going to need to reset every last one of their passwords.


You may want to ignore this problem. You don't dare do so. So long as you're running unpatched OpenSSL 1.01 or 1.02beta it will be  trivial for hackers to crack your security systems and access both your own server and your users information. Adding insult to injury, this hole has existed on any system using the latest version of OpenSSL since early 2012. Other SSL implementations, such as Microsoft's Azure SSL, are not affected by this bug.

This means that if you've been running a "secure" Apache or NGNIX Web server--about two-thirds of all Web sites--your site, potentially, has been open to attack for years. Indeed, if you've been running any network services that use OpenSSL for security, such as the Tor secure network, the Goldbug secure instant messenger, or many e-mail systems, including Yahoo Mail, it's possible that your information has been being silently harvested by attackers.

I doubt there have been massive data raids by criminals, though, simply because I think we'd all notice if billions of dollars of fake credit-card transactions started appearing on our bills. Now, what the NSA has been doing with SSL vulnerabilities is, of course, another question entirely.

But, now that everyone knows that the hole is out there, and that it's as wide-open as an interstate highway at 2 in the morning, you dare not wait a minute to update your OpenSSL software. But, after you're patched your servers, you're still not done.

You'll also need to revoke your old SSL digital certificate from your Certificate Authority (CA) and get a new one. Without new certificates, your old keys — which have may have been swiped in the last few days — can still be used to walk right through your brand new OpenSSL. Unless you change the certificate keys, it would be like you replaced your old lock with a brand new one... that takes the same old key.

Once that's done, you'll need to tell your users and customers that it's time to change their passwords. They're going to love that, but there's no choice in the matter. There's a real chance that while the hole was open, their passwords were swiped and you can't afford to let them continue to use their old ones.

If you're a user, you don't want to change your password yet. Wait until you hear from your service providers—whether it's an e-commerce site, your bank, or an e-mail service provider, before coming up with a new one. Oh, and by the way, for pity's sake pick a good password!

You can also check any particular site with the Heartbleed test to see if they've patched the hole yet. Major sites, such as Yahoo, have already fixed the main problem, but smaller sites will lag behind the big ones. Be aware, however, that this test site is currently vastly overloaded and it may take a while before you get a result from it. 

For a good list of what sites, services and companies have already addressed the main security hole, check out the Internet Storm Center's Heartbleed vendor notifications list.

If a site shows up as still having the hole do not—Do Not—make any transactions through it. You would be just asking to be robbed.

Finally, I hate to say it, but don't expect this problem to go away anytime soon. As Jeff Forristal the CTO of Bluebox Security, said in a statement, "OpenSSL is extremely pervasive on all manners of devices, systems, and servers; it is going to take the ecosystem significant time to get everything updated, and we will be looking at a long tail situation that could easily extend into years."

Related Stories:

Editorial standards