Heartbleed SSL Encryption Vulnerability Requires Quick Attention

By Wayne Rash  |  Posted 2014-04-09 Print this article Print

"THIS PARTICULARLY INCLUDES NATIONAL AND INTERNATIONAL INTELLIGENCE AGENCIES [emphasis his] who routinely record all traffic and can now use or have used the vulnerability to read the private keys needed for decrypting the recorded historic data," he wrote.

This means that if someone, such as a national spy agency or organized cyber-criminals, was trying to read the data from your company as it crossed the public Internet and recorded it, they can go back and decrypt the material they've captured.

So now what? If the Heartbleed exploit was used against any site with which you connect, it means that at the very least you need to change your security credentials. This includes changing all of those passwords that you never could remember.

If your company is vulnerable, meaning you were running a Linux server or otherwise using OpenSSL, Ylönen has some suggestions:

Companies should "upgrade their OpenSSL library to version 1.0.1g" and "create a new private key, generate a certificate request, and purchase a new certificate from their CA (certificate authority) and install the new key," Ylönen wrote, noting that "this must be done for each web site supporting SSL/TLS (https: addresses)."

At this point, as I said earlier, there's no evidence that cyber-criminals have exploited this vulnerability, but you need to be sure. This means that if you're using a Linux server running Web services from an open source server, you likely are vulnerable. If you connect to such a server using SS:/TLS, your protected data may have been compromised.

However, if the server in question runs Windows Server of some sort, chances are you weren't compromised as the vulnerability exists only on open source platforms. Ylönen said that a Website has been set up to provide information about this problem. He also noted that the SSH protocol used by system administrators was not affected.

Sadly, this is one of those situations in which a minor change designed to make life easier for users of SSL turned out to be the problem. This particular bug surfaced as part of an effort to provide a steady "heartbeat" from a secure system so that the server on the other end of a connection would realize the connection was alive and wouldn't need to perform a credentials handshake again.

What's worse, this is a situation where you could have done everything right, and still have been compromised. Of course, best practices recommend that you encrypt everything before its transmitted anywhere, regardless of whether you're using SSL. That would have made all the difference in this case.

To follow Wayne Rash on Google Plus, click here.

To follow Wayne Rash on Twitter, click here.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel