DigitalSparky.com That Binary Buzz!

Heartbleed OpenSSL TLS Vulnerability [CVE-2014-0160]

Hi all,

As you may or may not be already aware, a significant security vulnerability in OpenSSL has recently been found.

This vulnerability was discovered within the OpenSSL cryptographic software library, a global standard used by most web servers.

This vulnerability allows exploitation of the heartbeat mechanism within TLS in order to read 64k of addressable server memory at one time, potentially allowing the leakage of sensitive information, including SSL private keys, usernames, passwords, and other sensitive information not normally accessible over encrypted SSL communication channels.

The vulnerability, introduced in December 2011, affects OpenSSL versions 1.0.1 through 1.0.1f, covering a significant portion of SSL websites across the world.

In order to resolve this issue you should update OpenSSL on all servers and daemons.

As there is absolutely no way to ascertain what information has or has not been leaked through this vulnerability, best practice is to assume that all information is compromised, and you should act accordingly.

You should re-key and re-sign all SSL certificates, change all user credentials, and distribute messages to services users to inform them of this issue.

You can confirm a site has been patched for the Heartbleed vulnerability by using this tool: http://filippo.io/Heartbleed/

It is important to ensure that the site is not vulnerable BEFORE you change your credentials, to ensure that your new credentials are not inadvertently exposed, defeating the purpose of changing them to begin with.

For more information on this vulnerability, check out http://heartbleed.com/