[updated 2014-04-12 01:59]
Most of you will have heard about the Heartbleed Bug by now. Here is a quick overview and some useful links.
According to heartbleed.com (emphasis mine):
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Many (web) servers using openssl may have leaked private keys, user names, passwords, session cookies, and any other data handled by the server including (confidential) emails and documents. Leaked private keys can be used to decrypt intercepted traffic and perform man-in-the-middle attacks.
The affected versions of openssl have been in widespread use since 2012, the bug is easily exploitable, and attacks leave no trace -- therefore, it should be taken very seriously.
Those servers need to be patched, the compromised keys need to be replaced and revoked. Any data that may have been intercepted or leaked should be considered compromised. Unfortunately, certificate revocation does not work as well as it should and many network appliances and other embedded systems, for example, are not easily patched.
Users will need to change passwords once services have patched the bug and started using new keys -- users should not log into accounts from afflicted sites until they have confirmation that the service has been patched. Unfortunately, many services have not yet released information regarding whether they were vulnerable or not, and if so, whether they have taken the necessary steps to fix the bug.
Not just servers are affected. Client side software could expose data from your computer if it connects to compromised servers. Fortunately, Firefox and Chromium do not seem to use openssl.
You may even want to change all passwords, even for services not affected, just in case someone managed to break into your email account and used it to change those passwords.
Some advice from MyKolab:
- Keep your systems updated
- Encrypt your devices
- Lock your screens
- Never re-use passwords
- Choose good passwords
- Regularly change your passwords
Firefox users may be interested in certificate patrol, an add-on that reveals when ssl certificates are updated.
See the Heartbleed article on Wikipedia and the resources listed below for more information.
- Felix
→ Comments
→ Ars Technica: Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping
→ Ars Technica: Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style
→ Ars Technica: Heartbleed vulnerability may have been exploited months before patch
→ Ars Technica: Researchers find thousands of potential targets for Heartbleed OpenSSL bug
→ Diagnosis of the OpenSSL Heartbleed Bug
→ Tor: OpenSSL bug CVE-2014-0160
→ Schneier on Security: Heartbleed
→ Schneier on Security: More on Heartbleed
→ xkcd: Heartbleed Explanation
→ BBC: Heartbleed Bug: Tech firms urge password reset
→ Mashable: The Heartbleed Hit List: The Passwords You Need to Change Right Now
→ NYTimes: Experts Find a Door Ajar in an Internet Security Method Thought Safe
→ Tom's Guide: Heartbleed: Who Was Affected, What to Do Now
→ CNET: 'Heartbleed' bug undoes Web encryption, reveals Yahoo passwords
→ CNET: How to protect yourself from the 'Heartbleed' bug
→ CNET: Heartbleed bug: Check which sites have been patched
→ CNET: Heartbleed bug: What you need to know (FAQ)
→ EFF: The Bleeding Hearts Club: Heartbleed Recovery for System Administrators
→ EFF: Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013?
→ Volkskrant (dutch): Heartbleed: ernstig lek in beveiligde internetverbindingen
→ Volkskrant (dutch): 'Heartbleed'-lek: deze wachtwoorden kunt u het best zo snel mogelijk wijzigen
→ Volkskrant (dutch): Internet in paniek om Heartbleed - maar hoe erg is het echt?
Q&A & Discussion
→ Hacker News: The Heartbleed Bug
→ Hacker News: OpenSSL Security Advisory: TLS heartbeat read overrun
→ Reddit Programming: The Heartbleed Bug
→ Stack Exchange: What should a website operator do about the Heartbleed OpenSSL exploit?
→ Stack Exchange: What should end-users do about Heartbleed?
→ Stack Exchange: Should I change all my passwords due to heartbleed
→ Stack Exchange: Does the heartbleed vulnerability affect clients as severely?
Services
→ Amazon: AWS Services Updated to Address OpenSSL Vulnerability
→ Bitbucket: All Heartbleed upgrades are now complete
→ GitHub: Security: Heartbleed vulnerability
→ Heroku: OpenSSL Heartbleed Security Update
→ MyKolab: Information on Heartbleed Bug & New SSL Certificate
→ PayPal: OpenSSL Heartbleed Bug - PayPal Account Holders are Secure
→ RubyGems.org's response to CVE-2014-0160 (heartbleed)
→ Trello and the Heartbleed OpenSSL Vulnerability
...