Overview#

The Heartbleed a devastating vulnerability in OpenSSL, was disclosed to the public in April 2014.

The attack Exploits the implementation of the Heartbeat Protocol, a little-used TLS protocol extension

Problem#

The Exploit allows an attacker to trick the server into disclosing a substantial chunk of memory, repeatedly. As you can imagine, process memory is likely to contain sensitive information, for example server private keys for encryption. If those are compromised, the security of the server goes down the drain, too.

Resolution#

If upgrading is not practical, you can rebuild your current version of OpenSSL from source without the Heartbeat Protocol support by adding the following compile switch:
-DOPENSSL_NO_HEARTBEATS
This switch ensures that the defected code never gets executed.

All Heartbleed-vulnerable systems should immediately upgrade to OpenSSL 1.0.1g.

If you are not sure whether an application you want to access is Heartbleed vulnerable or not - try any one of the Heartbleed detector tools.

No action required if your application is not vulnerable.

If the application is vulnerable, wait for it to be patched with OpenSSL 1.0.1g. Once the patch is applied, all the users of such applications should follow the application's release documents from the service providers. Typically, steps to follow once the patch is applied are:

  • changing your password
  • generating private keys again
  • certificate revocation and replacement
An important step is to restart the services that are using OpenSSL (like HTTPS, SMTP etc).

Before accessing any SSL/TLS application such as HTTPS, check to see if the application is vulnerable. Do not access or login to any affected sites.

Ensure all such vendors or enterprises related to

Heartbleed detector tools#

The following list of tools may help you detect whether a website is vulnerable to Heartbleed:

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-7) was last changed on 22-May-2016 04:28 by jim