Before I start, please understand the information below is for general edification and not meant to be construed as a set of instructions for your particular environment. If you’d like help understanding what should be done for your company, please contact me, or another trusted IT consultant.
Now with the legalities out of the way, why all the heartache about HeartBleed?
The 2012-2014 editions of the OpenSSL https/SSL/TLS authentication and encryption protocols have a serious defect (named HeartBleed). On a 10-point scale, one respected security researcher rates HeartBleed 9:10. Yes, it is that bad.
Why? HeartBleed enables the mass theft of the security certificates (private keys) used to negotiate the authentication and encryption used between clients and servers.
What makes this defect so insidious is that it lays bare the very interactions we want to keep most secure, namely financial and identity related interactions, like those between your laptop and your bank, online retailers and social media. It is urgent that you update your computer as well as any electronic devices that have internet access, such as:
- Routers and Firewalls,
- Printers,
- Network attached storage,
- NEST thermostats,
- and any other devices similar to the ones listed above.
You should test your browser to ensure it correctly handles invalid certificates, the special electronic files that are digitally signed by a security authority proving the owner of a certificate is indeed who they say they are. Any company who uses OpenSSL as part of their infrastructure has requested new certificates from the granting authority to ensure a malicious 3rd party hasn’t intercepted their encrypted certificate, which was possible before the OpenSSL defect was found. If your browser handles invalid certificates properly, the bad actor won’t be able to fool your browser that they are your bank, fooling you into typing your userid and password into a false website masquerading as the real bank website.
First, test your browser by going to https://revoked.grc.com. You should get an error indicating the certificate has been revoked. If you get no error, then your browser needs to be updated immediately! Do not use it to connect to any sensitive site, such as a financial institution.
Secondly, if you don’t mind resetting your passwords in the process, test the websites you visit by going to https://www.ssllabs.com/ssltest/. Type in the website you want to check into the Domain Name field and press Submit. Be aware that you might need to use your password during the test, so change it IMMEDIATELY after you finish the test.
What to do if your browser fails the test at revoked.grc.com? Check out the latest list of browsers below and their current state (as of 29 Apr 2014):
- Firefox, v. 29.0 passes the test for Mac OS X and Windows 7. I did not test on Windows 8.
- Google Chrome Version 34.0.1847.131 (later versions should be retested to ensure no regression errors made their way back into the codebase) for Mac OS X and Windows 7 passes the test and indicates that the site certificate is invalid, but treats the error as a soft-fail, potentially putting you in danger.
- Internet Explorer, all versions, fail, not just for HeartBleed, but for other reasons as well and need to be avoided at all costs. If you have to use Windows, use Firefox v.29.0. If you have an ActiveX application that requires IE, ask your developer for a version that does not require ActiveX.
- Firefox on Android properly handles the revoked certificates, Chrome on Android does not.
- Safari on iOS handles extended validation certificates properly, but fails on standard validation certificates. Let’s hope Apple get an update out soon to address this.
In short, use Firefox v.29.0 for Windows, OS X and Android until Chrome and Safari are updated. Use Safari on iOS if your sites support extended validation certificates, or use your laptop for banking until things get sorted.
UPDATE: There were no solutions that provided a fix for Heartbleed on Windows XP! If you're still using Windows XP, please upgrade to a Mac (or Windows 7 Pro) NOW!
If you are a Sysadmin reading this, please update and patch all applications and middleware that rely on OpenSSL and update OpenSSL to the most current version (OpenSSH is not affected). Assume your encryption keys and security certificates have been compromised and get new ones, now, and revoke your old certificates as well. And while you’re doing this, go ahead and adopt extended validation certificates, this will protect iOS clients. EV certificates are more money, but who wants to explain to the Board of Directors why you couldn’t avoid a security breach? In addition to swapping out your certificates, go ahead and reset all passwords. And if you’re really intrepid, check out Perfect Forward Secrecy (Ephemeral Diffie-Hellman).
This isn’t meant to be a complete list of what could be done, but should give you a good place to start.