As you may have read in recent news there’s a new SSL attack in town: CVE–2014–0160 a.k.a Heartbleed.
There certainly is a lot of buzz about this right now. Is it a serious vulnerability? Yes. Does it impact you as a FoxyCart customer? No. We have checked our systems and ensured that they are not affected by this security bug.
Is this kind of issue unprecendented? Is it the end of Internet security? No, there have been major security problems with OpenSSL (and other libraries) in the past. But Heartbleed is indeed something new.
The unique “fun” of the Heartbleed bug is that it allows an attacker to read chunks of memory and find interesting things that should have been protected, like usernames, passwords, and TLS keys. Y’know, the things we use SSL to protect in the first place. Oh, and did I mention that the attacker can do this without even requesting resources over the SSL connection? Yes, this is something that happens way down in the application stack, down where Apache or nginx are waiting for OpenSSL to finish its handshake and start sending HTTP data.
Wow, that sounds pretty bad, right? “Hey, I have a server,” you’re thinking, “should I be concerned about this?” Yes, definitely. But there’s good news here: the bug only affects a slice of OpenSSL releases. From the Heartbleed site:
Status of different [OpenSSL] versions:
• OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
• OpenSSL 1.0.1g is NOT vulnerable
• OpenSSL 1.0.0 branch is NOT vulnerable
• OpenSSL 0.9.8 branch is NOT vulnerable
How do you check if you’re vulnerable? If you have shell access, it just takes a single command, you don’t even need to be root:
% openssl version
If you’re on 0.9.8 or 1.0.0, then congrats, you’re safe from Heartbleed! Be careful when upgrading and, as always, watch your Linux distribution’s security list for patches.
For Ubuntu, the 12.04, 13.04, and 13.10 releases use affected versions of OpenSSL and should be updated ASAP. If you’re running 10.04, as we are, then you have OpenSSL 0.9.8 and are safe from Heartbleed.
If you’re on one of the affected OpenSSL versions then you need to upgrade that package ASAP. All major Linux vendors have already released security patches, you just need to tell your machine to fetch and install them.
A full guide to upgrading packages is beyond the scope of this article, but at least on Ubuntu it’s as simple as: sudo aptitude update && sudo aptitude upgrade openssl
After upgrading the library, however, you’re still not done: you need to restart every piece of software that uses OpenSSL. This means your web server, your SSH server, and more. The safest path is to reboot the entire machine.
Conclusion
Heartbleed is a big deal. Taking 5 minutes to run some commands on your server could save you from the pain of a security compromise down the road. But remember, this vulnerability doesn’t affect just you! Even big providers have issues with this, and you should consider changing any credentials stored on such a site.
You can use this tool or this site to check for the Heartbleed issue.
As a general health check, why not run your site through Qualys’ SSL Labs? This quick test will detect many common problems with SSL/TLS — missing certificate chains and use of weak algorithms or SSL versions.