Are you an Internet user bewildered by all this noise about "heartbleed" and "resets"?For Muggles:
That's cool, ain't everyone gotta be a nerd. Buncha websites have probably been leaking passwords (and other security token type things) for a while. There's no good proof (YET) that anyone has really been attacking this though. Changing sensitive passwords after the sites fix themselves is probably a good idea. Panicing is probably not warranted.
OMG I WENT TO THIS TESTING SITE AND IT SAID
Woah woah woah. A bunch of websites have thrown up "see if your favorite website is vulnerable to heartbleed" test pages. At least some of the popular ones are provably wrong. Remember, everybody selling something and some of them are selling you panic.
Be careful about password reset emails
As always, people who like to trick you out of money or sensitive information love to pivot off hot news events. If you get a password reset email from a service talking about heartbleed (or just in general) and you didn't do something to trigger the email, don't click. Go to the actual service site and reset your password there.
For Wizards:
So you're running a SSL/TLS site or mail gateway?
No? Well relax.
Yes? Keep reading
No? Well relax.
Yes? Keep reading
Was it on the OpenSSL 0.9.8 branch?
OK, do nothing*
Wait what about hardware load balancer TLS termination?
Well, check and make sure that the TLS stack on it wasn't vulnerable of course, but your'e probably OK. From what I've seen all the "firmware" implementations were fine but some of the "doing TLS in software on the loadblancer" implementations may have been vulnerable.**
Well, check and make sure that the TLS stack on it wasn't vulnerable of course, but your'e probably OK. From what I've seen all the "firmware" implementations were fine but some of the "doing TLS in software on the loadblancer" implementations may have been vulnerable.**
Was it using something else server-side to terminate TLS that isn't OpenSSL?
Well put your feet up and enjoy not being in the fire for once.
Well put your feet up and enjoy not being in the fire for once.
Was it on the OpenSSL 1.0.1 branch?
Cool, you've got work to do:
- Recompile with heartbeat disabled or upgrade to latest OpenSSL right now
- Look up on your CA's site about how to regenerate your certificates, each has their own proper workflow
- Regenerate your certs and use a new private key to do so (your old private key may have been leaked)
- Doing so hopefully revoked your old certs. If not forcibly do so.***
- Invalidate all server-side session tokens in the most expedient manner. Yes, even if you have 2FA for your service.
- Force a password reset for your users
That's cool, turn off your HTTPS listener till you have a chance to patch.
I ship client applications that connect to arbitrary websites/mail systems and use OpenSSL libraries!
Well either you dynamically link and better hope the OSes update soon, or you statically link and you should recompile and push updates.
*Consider updating to 1.0.1 after it becomes stable again so you can improve your TLS support.
**Yes, yes, as always, the terms hardware, firmware, and software don't apply well to appliances (it's all software, dude, have you seen my klout score on hacker news?!?!) and you can be a wonderful pedant about them, but if you're reading this you know exactly what I mean.
*** This barely even matters because cert revocation status checking is pretty much a broken process outside of OSCP stapling which (i think) only Opera even supports.
Comments will never be enabled.
If you feel that comments are necessary to tell me that I'm wrong about something - I refer you to the central premise of this site: the things I am saying here are wrong.
If you feel this limits your free speech, you're wrong. Lots of things are doing that these days though, so you should probably get better informed on the specifics there. I direct you to http://www.popehat.com/free-speech-resources/ Popehat is a great resource for things like this, frequently funny, and almost always too contrarian and deliberately centrist to have political views worth caring about.
If you feel that you need to speak to me directly, I encourage that. If you found this, then you can find me elsewhere on the internet easily. Bluesky is generally preferable.