The Confusing OpenSSL Heartbleed Vulnerability

Tweet about this on TwitterShare on FacebookShare on Google+Share on LinkedIn

OpenSSL HeartbleedHopefully by now you have heard about this bug that was announced on April 8th, 2014. If not I suggest that you spend a little time reading about it while it’s still fresh in the news.

OpenSSL is used to encrypt data that passes from one computer or server to another. It’s widely used by various websites and providers. From email, to online orders, financial transactions, etc. This would involve the little padlock secure connection icon that you see in your web browser associated with https secure addresses.

Basically this bug allows someone to extract unencrypted chunks of data that’s supposed to be encrypted. They might not get anything useful, but they may get lucky enough to get a username and password, or other sensitive data.

The confusing part is trying to figure out if a website or service is affected or not. From what I gather this vulnerability is only present in OpenSSL version 1.0.1 – 1.0.1f. Apparently the previous version 0.9.8 is not affected.

Many servers don’t use OpenSSL at all like Microsoft’s IIs. So if you happen to be using some form of service or website powered by one of these it would be immune.

There are also other options to OpenSSL that could be in use, which would also be immune.

According to the experts around 66% of websites do use OpenSSL. However, they don’t clearly state whether that is in general or the vulnerable version in particular. I do know there are a lot of sites that use the unaffected 0.9.8 version yet.

If a particular website or provider is vulnerable you are supposed to change your account password after they apply the fix. Doing so beforehand would be useless and a waste of time.

Trying to figure out what sites may have been affected and whether or not they have patched their servers and regenerated new secure keys is a difficult task.

Some experts are saying you should change your password everywhere. While others say this is only necessary if you hold an account at specific websites. The problem is they only mention what you should do if you have an account at a more popular site.

twitter-openssl-results

You can use the following online tests to check assorted sites to see if they have been updated:
http://filippo.io/Heartbleed/
https://www.ssllabs.com/ssltest/
http://rehmann.co/projects/heartbeat/

There was a recent article over at MSN that claimed that the Heartbleed bug could potentially affect corporate networks and home networks since certain products use OpenSSL encryption like wireless routers for example. More information on this one here: Heartbleed bug spreads to routers and other gear.

The disappointing thing about this bug is that it was in the wild for around 2 years before it was discovered.

As tedious as it may be, I personally don’t see a problem with changing your password at various websites and providers just in case. However, you do want to make sure that it has been patched before doing so.

There are also lists published of what you should do if you use certain services. Here are a couple that you can check if interested:
http://www.bbc.com/news/technology-26971363
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Things to keep in mind:
When things like this happen you may get phishing emails that are trying to trick you into changing your password by entering a bogus website and coughing up your login details. Never click on the links in these things even if they look legit. Always go directly to a website to login.

About: Jeremy LeSarge - AKA: Ray (209 Posts)

I am the site owner and administrator of DialMe.com. I provide help and tips for Boonex Dolphin on the main part of this website where you will also find an assortment of other resources. Here, on the blog I write about a variety of topics surrounding WordPress, technology, social media/networking, SEO, and webmaster resources.




4 Comments

  1. Reply

    Ray,

    You raise a good point that of the 66% of the websites that the experts say use OpenSSL, we have no idea of how many are actually at risk. As you mention, version 0.9.8 is not affected. I think it’s a good idea to check individual websites using online tests on sites like the ones that you provided links to.

    Thanks for the link to the article about the Heartbleed bug spreading to routers and other gear. Great tip on phishing emails too!
    Sherryl Perry recently posted..The Heartbleed Bug and More #FridayFindsMy Profile

    • Reply

      When you use the test tools it will say fixed or not affected. It’s not clear if they were affected at one point and maybe they just patched it, or if they were immune because they used another version or another type of ssl encryption.

      I would rather not change all my passwords if I didn’t have to because it will take a while to do so, but at this point I would say it’s better to be safe than sorry. I would expect that the bigger sites have applied the patch if need be by now. Smaller sites may be another story. As far as I know of cPanel will automatically patch it when it runs the nightly update if a website owner has them enabled. They would still want to regenerate new keys just to be safe though. Of course not every server is running cPanel or a control panel that automatically updates.

      From what I read 4 guys are responsible for programing and developing OpenSSL, and they have never been in the same room together. At least that’s what an article I read said. You would think that since it is widely used that they could get more funding for something that is important to website security around the world. Maybe they will this year.

    • Reply

      Hi Sherryl,

      I am pretty sure that if it says not affected or fixed it could mean either of two things. One is that it wasn’t affected at all because the site wasn’t using the vulnerable version, or the server is using Microsoft IIs for example, which isn’t affected because IIs doesn’t use OpenSSL. The second thing is that it was affected, but has been patched so it is no longer affected.

      I know when this first became public I did check a bunch of sites. I did find a few that said vulnerable when I used the Filippo checker. When I checked the same sites about 24 hours later it said not affected or fixed.

      In that case they could have been exposed to this bug for the past 2 years. That is one thing the checkers don’t really tell us. I think that is why some of the experts are saying to change your passwords anyway just to be safe.

      I know a lot of banks and financial types of sites use IIs and they weren’t affected by this, but there could be some that aren’t on IIs servers.

      Changing passwords is such a pain since we tend to have many these days. This is a good reminder that we should actually change them more often than what we do. I almost wish some sites would force us to change them 2-4 times per year.

Leave Comment

Your email address will not be published. Required fields are marked *

CommentLuv badge