The Heartbleed genie is out of the bottle – now what?

Now that the details of Heartbleed are public, anyone can use it against vulnerable servers. What should be done?

The Heartbleed vulnerability in OpenSSL has been recognised as a major blow for internet security and open source development.

But the first thing businesses need to do is verify whether their version of OpenSSL is affected.

Only businesses using OpenSSL 1.0.1 through to OpenSSL 1.0.1f are at risk. OpenSSL 1.0.0 and 0.9.8 are safe, useable and do not have the same vulnerability.

"Although there are high-profile websites that are affected, given that the majority of businesses do not upgrade SSL certificates regularly, many will be safe from the Heartbleed bug,” said Mark Brown, director of information security at EY.

Apply fixes quickly

But now the details of Heartbleed are public, anyone can use it against vulnerable servers that have not yet patched the OpenSSL bug and changed SSL certificates, according to the Electronic Frontier Foundation (EFF).

This means appliance suppliers, operating system suppliers and independent software suppliers should adopt the fix as soon as possible and notify their users.

All websites, online service providers and other organisations that use OpenSSL to encrypt transactions need to:

  • Update to the latest version of OpenSSL;
  • Revoke compromised cryptographic keys;
  • Reissue X.509 certificates with new keys;
  • Apply fixes for operating systems, networked appliances and business software;
  • Advise users to change their passwords once the vulnerability is patched.

Where it is not possible to update to OpenSSL 1.0.1g immediately, software developers should recompile OpenSSL with the compile time option OPENSSL_NO_HEARTBEATS, said security firm Codenomicon.

Use perfect forward secrecy

But in some organisations these steps may take weeks or months to complete, so the EFF has recommended the immediate implementation of perfect forward secrecy (PFS)

Read more on Heartbleed

PFS works by creating a new, disposable key for each exchange of information, so the key for every individual session would have to be decrypted to access the data.

This means that if a server is configured to support PFS, a compromise of its private key cannot be used to decrypt past communications.

PFS ensures protection of encrypted data even if another party obtains decryption keys, adding an extra layer of security to HTTPS encryption.

Google, Facebook, Twitter, Dropbox and Tumblr have all implemented PFS in recent months. LinkedIn and Yahoo are expected to follow soon.

Patches then passwords

Although some online service providers are urging users to change passwords, some security experts have warned against rushing to do so.

Wait until you know a particular website or service has been patched before changing your password

“There is one important reason why you might not want to rush out and change all your passwords on all your services right this minute,” wrote Paul Ducklin in a Sophos blog post.

He said it is a kind of catch-22 situation because the new password may also be at risk due to Heartbleed.

Ducklin advises people to wait until they know that a particular website or service has been patched before changing the password associated with it.

A banking industry source told Computer Weekly that users of online banking and other services should stay offline until they are sure the vulnerability has been addressed, and then change their passwords.

Several security firms and independent developers have published online tests to help people discover if the online services they use are still exposed.

Ducklin also recommends adopting two-factor authentication (2FA) wherever possible to make stolen passwords much less useful to cyber criminals.

Guidelines for new passwords

  • Avoid a password that can be discovered through social media, such as a pet’s name.
  • Avoid words that appear in a dictionary as these are easily cracked.
  • Use pass phrases rather than single passwords.
  • Use unusual characters, such as substituting ‘1’ for ‘i’ in a memorable phrase.
  • Use a different password for each online account.

Read more on Privacy and data protection