Overview#The Heartbleed a devastating vulnerability in OpenSSL, was disclosed to the public in April 2014.
Problem#The Exploit allows an attacker to trick the server into disclosing a substantial chunk of memory, repeatedly. As you can imagine, process memory is likely to contain sensitive information, for example server private keys for encryption. If those are compromised, the security of the server goes down the drain, too.
Resolution#If upgrading is not practical, you can rebuild your current version of OpenSSL from source without the Heartbeat Protocol support by adding the following compile switch:
-DOPENSSL_NO_HEARTBEATSThis switch ensures that the defected code never gets executed.
All Heartbleed-vulnerable systems should immediately upgrade to OpenSSL 1.0.1g.
If you are not sure whether an application you want to access is Heartbleed vulnerable or not - try any one of the Heartbleed detector tools.
No action required if your application is not vulnerable.
If the application is vulnerable, wait for it to be patched with OpenSSL 1.0.1g. Once the patch is applied, all the users of such applications should follow the application's release documents from the service providers. Typically, steps to follow once the patch is applied are:
- changing your password
- generating private keys again
- certificate revocation and replacement
Ensure all such vendors or enterprises related to
Heartbleed detector tools#The following list of tools may help you detect whether a website is vulnerable to Heartbleed:
More Information#There might be more information for this subject on one of the following:
- [#1] - Keys left unchanged in many Heartbleed replacement certificates! - based on 2015-04-29