Urgent security advisory: #Heartbleed – openSSL Vulnerability

This is an urgent security advisory regarding an openSSL security vulnerability CVE-2014-0160, which was revealed today to be a catastrophic, remotely exploitable security vulnerability affecting all applications utilizing openSSL.

The vulnerability was announced via the domain http://www.heartbleed.com

Which versions are affected is unclear:

  • The Heartbleed website says everything above 1.0.0+
  • We also read an unconfirmed report that it was 1.0.1 through 1.0.1f (inclusive)
  • The openSSL advisory dated today states “Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including

    1.0.1f and 1.0.2-beta1”

(To check the openSSL version from your unix shell type: $ openssl version)

The following analysis has been posted regarding the bug:

http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

An online tool that can diagnose if your web server is at risk is online here:

http://filippo.io/Heartbleed/

Recommendations:

If you are running a vulnerable version:

  • Upgrade your openSSL libs
  • restart any applications that use openSSL

But wait, there’s still more…

You then have to make a decision on whether or not to treat your existing keys as already compromised (because if they were, there is no way you would know it) And if you feel the risk it too great: you must re-issue your SSL certs after generating new private keys and using them to generate new CSRs.

Unfortunately, this is the same thing as buying or renewing your SSL cert(s).

At this point we do not know if the certificate issuers will do something about this unprecedented situation, such as allow free re-issues or offer some kind of price break. But

If you are running an ecommerce website or the security of your customer data is paramount, you may want to do the same thing we did here at easyDNS tonight, which was to go ahead and purchase new SSL certs (after upgrading our openSSL libs and regenerating our keys & CSRs).

Update: Free Cert Re-Issues

It has been pointed out (immediately after emailing this alert to all our SSL customers) that our supplier, GeoTrust, allows free certificate re-issues as long as the info used to generate your CSR hasn’t changed.

Go here: http://www.geotrust.com/support/ssl-certificate-reissuance/

In any case, check with your systems team, assess your vulnerability and keep your children indoors. This is pandemonium.