• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 413
  • Last Modified:

HeartBleed bug

I am a noice, and I know the Heatbleed is basically a memory leak taht exposes pw, content, potentially crypto keys....

but in laymans terms, what are the issues moving forward

what will occur as far as fixes (or attacks) in the near future, and how will that affect us
Anthony Lucia
Anthony Lucia
5 Solutions
Dave BaldwinFixer of ProblemsCommented:
Heartbleed only affects a limited number of versions of OpenSSL.  However it has been present for two years.  Here http://heartbleed.com/ is the official site and information.  Many sites have already been fixed but recommend you change your passwords on those sites in case they were revealed in the previous two year.  Note that any particular system can have several copies and versions of OpenSSL in different programs.
Dave HoweSoftware and Hardware EngineerCommented:
As sites are fixed (after sites are fixed, in other words) you should change your password there (changing passwords is a good idea periodically anyhow)

In order to know if a site HAS been fixed, then one of the two plugins for Firefox or Chrome is a good idea, or look out for a statement from the site owner (or both :)

if you own a site, consider replacing the secret key/certificate after ensuring the ssl module was upgraded; this may not be needed in all cases (for instance, a code review of nginx has shown it does not store the secret key in memory near where the heartbleed bug could "reveal" it) but again, may be good policy (and will make your users feel better).

A clearer understanding can be gained of the bug by looking at the very useful infographic over on xkcd:


and above all, don't panic! while this bug has been around for two years now, the conditions for exploiting it are relatively narrow and the risk, while real, of any specific set of credentials being revealed is actually quite low.
Rich RumbleSecurity SamuraiCommented:
Agreed, and it does not affect IIS installations at all:
You can run windows + apache + ssl however, so not all windows web servers are unaffected, but IIS ones are not affected.
Dave HoweSoftware and Hardware EngineerCommented:
Apache also has a choice of module - mod_ssl uses openssl (so needs updating) but mod_gnutls uses gnutls (which had its own issue a few weeks back, but isn't affected by heartbleed)

apache tomcat (the serverside java engine from the same project) also does not use openssl.

nginx does (so needs patching) [deleted] (may need users to change credentials after patching)

UPDATE - nginx has been proven vulnerable to secret key disclosure for a window after a reboot, so keys on that platform should be considered compromised and replaced.

Tony GiangrecoCommented:
Updating your SSL components should help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now