HeartBleed Aftermath

Heartbleed, What happened and what to do about it.

heartbleed photoBy now, you would recieve emails from various companies explaining the Heartbleed Vulnerability in OpenSSL, which is a part of the Secure Socket Layering system used on most secure sites, and whether they are affected with brief instructions with what to do if you are concerned. Luckily the technical stuff is server-side and already fixed, the users just have to be more vigilant.

Background

The problem is with HeartBeat, a part of OpenSSL which talks between user to server, verifies a key against its certificate then checks the certificate with the signing authority. The attack is basically on the memory section where Heartbeat temporarily stores data using a specialized query.

Almost 70% of the internet uses OpenSSL, however less than 20% seem to be vulnerable. As OpenSSL is an Open Source project, many developers have adapted it to their needs/configurations; pushing the vulnerability rate down more. The vulnerability is thought to have been around for 2 years, and not noticed until now by the small team what run the project, who are busily improving the code and had a patch out hours before the press starting to take notice

So What’s happened because of this?

So far, only 1 reported case of it being used in a malicious way, and 1 not so malicious, but comical report. It seems the damage control, the patching process, the advice to website admins and consumers and press timing worked.

Certificates as of 12th April, have been reissued when servers are patched. Make sure you check the date of the certificate in your address bar’s padlock.

Of course this means you will be worried over your bank and utilities accounts being compromised. Easiest way to be sure is to look at the address bar. If you see .ASP or .ASPX, you’re safe. The server runs Windows and doesn’t have OpenSSL at all.

If it has .PHP, best check with a URL heartbleed checker for the vulnerability

 

Photo by theglobalpanorama

 

Leave a Reply