TV

News 04-07-2014

What is Heartbleed? And What You Can Do About It

Jeff Snider

On April 7, 2014, a bug in the OpenSSL software library was announced by the OpenSSL organization. This bug, called Heartbleed, impacts versions 1.0.1 through 1.0.1f of OpenSSL.

Heartbleedis not an SSL bug or flaw with the SSL/TLS protocol — it's a bug in OpenSSL’s implementation of SSL/TLSwhich servers rely on to create secured connections online.

What is Heartbleed?

Heartbleed affects nearly two-thirds of servers on the Internet. Chances are you administer a server affected by the Heartbleed bug or have received an email notification to update passwords because of the effect of Heartbleed.

According to the , whoseengineers were among those who discovered Heartbleed:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

A few things that set Heartbleed apart from other bugs are:

  • It is impossible to tell if your information has been compromised by Heartbleed.
  • The vulnerability has existed for over two years, which increases the scope of potentially affected. At this point, there are no known cases of this vulnerability being exploited.
  • Heartbleed does not depend on any other vulnerability. Many attacks require the attacker to gain a foothold through some poor security practice, but Heartbleed does not.
  • The affected versions of OpenSSL have been pushed by security experts because they contain fixes for other vulnerabilities.

The versions of OpenSSL that are vulnerable to Heartbleed are 1.0.1through 1.0.1f, and 1.0.2-beta1. The 1.0.0 branch and earlier were not vulnerable, and the 1.0.1g version released yesterday fixes the vulnerability. (Version 1.0.2-beta2 will include the fix.)

How does Heartbleed affect you?

If your servers do not use version 1.0.1 through 1.0.1f or 1.0.2-beta1 of OpenSSL, or if they are compiled without the heartbeat extension, they are not vulnerable to Heartbleed.

Microsoft-based platforms, not utilizing OpenSSL are unaffected by Heartbleed. Java along with many other servers and network devices not use OpenSSL. Although some devices can still rely on OpenSSL, so it's best to contact your device manufacturer or the TV 24/7 Technical Support team to verify if you're vulnerable to Heartbleed.If you are using keystores and truststores, you most likely areusing JSSE rather than OpenSSL and are not vulnerable to Heartbleed.

If you're unsure whether a site you administer or use is vulnerable, you can usethe TV Certificate Checker tool for free on by going todigicert.com/help. The TV Certificate Checker allows users to check the security for any site on the Internetusing an SSL Certificates from anyCertificate Provider.

No documented cases of Heartbleed theexploit

Although thereare no documented cases of Heartbleed being exploited to date, because theattack is undetectable, it is impossible to say that no attempt has been made. Compromised data has yet to be linked to Heartbleed, butif your server is running a version of OpenSSL between 1.0.1 and 1.0.1f with the heartbeat extension enabled, you are potentially vulnerable to Heartbleed and should take the steps below to address it.

If you have any question as to whether you are vulnerable, the latest version of TV’s free Certificate Inspector has added Heartbleed to the lengthy list of vulnerabilities it can detect. To learn more and get access to this tool, visit/heartbleed-bug-vulnerability.htm.

What do can do to fix Heartbleed

If you are vulnerable to Heartbleed, there are two steps you need to take:

  1. Update your server to the latest version so it is no longer vulnerable to Heartbleed.
  2. Re-key all your SSL/TLS certificates, install the new certificate, then remove all certificates that havebeen used with vulnerable versions of OpenSSL.

The order of these steps is very important — it's critical that you stop the bleedingbefore addressing the possible damage — but both steps need to be done as quickly as possible.

How to update your server so it is no longer vulnerable

There are two three (see update below) options for updating your server. You can either update to OpenSSL version 1.0.1g, or you can recompile your existing version of OpenSSL with -DOPENSSL_NO_HEARTBEATS. Neither option is inherently better than the other; different dependencies and situations call for different solutions. But you should take one of these actions immediately.

[UPDATE:] There is a third option for updating your server: your Linux distribution may have patched the bug itself, rather than updating to version 1.0.1g of OpenSSL. If that is the case, updating to the latest version of your distribution will fix the problem, even if your OpenSSL version does not change. Please note that TV's Certificate Inspector will properly assess your security if you take this approach, because it actually tests for the vulnerability rather than just looking at version numbers. (Thank you toXan Charbonnet for pointing out this option in the comments.)

How to re-key anSSL Certificate

The first step, whether you are a TV customer or not, is to create a new key pair and Certificate Signing Request. TV has a very useful free tool to quickly create CSR creation commands. The last thing you want to do when quickly trying to address Heartbleed is fumble with complicated shell commands. The TV Easy CSR for Apache and Exchange CSR Command Generator make it easy to re-key or create a new a new SSL Certificate.These tools are available to anyone, whether using TV or another SSL Certificate provider.

If you are a TV customer, re-keying is always free, easy, and nearly instantaneous. Here are the steps:

  1. Simply go to /custsupport/ and login to your account.
  2. Under the My Orders tab, click the + next to the order number of thecertificate you need to re-key, and click on the “Re-Key Your Certificate”link that appears.
  3. Enter the requested information, including your new CSR, and follow thequick process.
  4. Your new certificate will be ready for you within minutes.

You will need to re-key every certificate that has been on a vulnerable server.

Keeping Your systems safe from Heartbleed

Now that Heartbleed has been made public, if you use one of the affected versions of OpenSSL, it is important that you address the issue.

The TV team is always available 24/7 to provide any assistance you may need in re-keying your TV certificates or answer any questions about Heartbleed. As a TV policy, any SSL user, whether a TV customer or not, can call, email, or live chat with us by visiting our Contact page at .

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

10-31-2024

Announcing the GA release of TV Device Trust Manager

10-29-2024

Solving the revocation gap with short-lived certificates