Heartbleed - A Note to Clients and Friends

0 min read
Ben Holt
Summary
If you have one of our security packages that covers operating system (OS) level security, your server is no longer vulnerable to Heartbleed. All affected servers managed by The Jibe were upgraded on April 8th, the day the vulnerability was publicly disclosed. We will be in direct contact with our affected clients in the next day or two to plan next steps, which may involve having a new SSL Certificate issued and installed, a risk assessment and, if necessary, consultation on how to protect your site users if their data was potentially compromised.
Background
Heartbleed is the name that has been given to a vulnerability in the widely used OpenSSL software. Officially the vulnerability is known as CVE-2014-0160. OpenSSL is used to encrypt data when it travels across the Internet, such as between a store's web server and a user's browser. The vulnerability could be exploited to recover a server's secret SSL key, which in turn could be used to impersonate the server or perform a "man in the middle" attack, where an attacker is able to intercept and decrypt network traffic as it travels between the server and end user. Unfortunately, unlike most vulnerabilities, the exploitation of Heartbleed does not leave any tell-tale tracks in server logs, therefore it is impossible to tell whether a vulnerable server has been exploited or not. With this in mind, it is safest to assume that all vulnerable servers were exploited.
For The Jibe and our clients, web server security is at the centre of our concern, however it is important to note that OpenSSL is used to secure many Internet protocols, not just those used by websites. Other vulnerable systems could include mail servers, database servers, virtual private networks (VPNs), and many others.
Is My Server Vulnerable?
Some rather wild numbers have been thrown around in the press about the number of web servers affected. One statistic I have seen in multiple places claims 66% of all servers were affected. I believe this number originates from http://heartbleed.com, which sites Apache and Nginx web server market share (66% of active web sites) as reported in April's Netcraft web server survey as part of their discussion on how widespread the issue is. Non-technical reporters have seized on this number without realising that many web servers do not run OpenSSL and of those that do not all are vulnerable. Let me try to clarify:
Most web sites do not use encryption, and are not vulnerable Of the sites that use encryption 66% of them use OpenSSL (this is where the misreading stems) Of the sites using OpenSSL, only the ones using versions from 1.0.1 to 1.0.1f are vulnerable, older and newer versions are not affected
Some of our clients' servers were vulnerable, but many were not. We typically use the Debian distribution of Linux for our client servers. The "old stable" version of Debian, known as Squeeze, was not vulnerable to Heartbleed. The "current stable" version of Debian, known as Wheezy, did have a vulnerable version of OpenSSL. A fix was released by the Debian maintainers that corrected the vulnerability on Monday April 8th. For our clients on security packages we upgraded their servers on April 8th, the same day the vulnerability was publicly disclosed. For our clients who are not on security packages, or whose hosting provider includes operating system (OS) security upgrades as part of their service, we are in the process of reaching out to those providers to find out whether they were vulnerable and when to expect any vulnerability to be fixed.
Next Steps
We will be in touch with all of our clients to let them know whether their sites were vulnerable or not and to go over next steps.
Replace the SSL Key and Certificate - As a general outline, our approach is to assume that if your site was on a vulnerable server your SSL key was compromised and should be replaced. We have reached out to NameCheap.com, the SSL certificate provider we typically recommend to our clients, and have been told that they will reissue SSL certificates free of charge. Other SSL providers may charge a fee to reissue an SSL certificate. Reissuing an SSL certificate involves generating a new SSL key and a new Certificate Signing Request (CSR) and then going through the process of having the SSL certificate provider sign the request and issue a new SSL certificate. Once a new SSL certificate has been issued, it and the new key must be installed on the server. Only after a new SSL key and certficate is installed will a previously vulnerable site be truly fixed. This is because the OpenSSL vulnerability potentially disclosed the SSL key, and without a new SSL key the old one could still be used to decrypt network traffic even after OpenSSL has been upgraded.
Consider the risk to your users - We will be working with our clients to assess the level of risk to themselves and their users so that they can respond accordingly. We will urge our clients to be forthright with their users in order to protect their data and our clients' liability risks. As a rule, we avoid storing valueable data on our clients' servers whenever possible. For example, we purposely do not to store credit card data on any of our clients' servers. In some cases the risk to users may be limited to their password, in which case we will work with our clients to reset users' passwords.
More Reading
The security advisory issued by OpenSSL.org Good Heartbleed background reading provided by Codenomicon
UPDATE - April 9th - I have spoken with EZP, our Canadian hosting provider of choice, and they have confirmed that they have upgraded all vulnerable systems and that they will be doing some further work to reset potentially compromised passwords in the near future.