What should I do about the Heartbleed bug for the sites I run?

9

The recently announced Heartbleed bug in OpenSSL affects many sites (70% of the internet).

There's a website:

http://www.heartbleed.com

There's a web-based test:

http://filippo.io/Heartbleed/

What should I do to protect the sites that I run?

Matt Cruikshank

Posted 2014-04-08T15:34:06.287

Reputation: 239

6

Better answered on [sf] - Heartbleed: What is it and what are options to mitigate it?

– Sathyajith Bhat – 2014-04-08T15:56:19.917

5

… as well as the StackExchange for security professionals. See http://security.stackexchange.com/questions/55076/ and http://security.stackexchange.com/questions/tagged/heartbleed .

– JdeBP – 2014-04-08T16:22:17.813

4

Every major SE computer related site now has this question... Probably soon it will be asked even on cooking.stackexchange.com :D

– VL-80 – 2014-04-08T19:10:07.763

I have added an end-user version of this question at http://superuser.com/questions/739260/what-should-end-users-do-about-the-heartbleed-security-bug (but someone has already downvoted it, without explanation).

– danorton – 2014-04-08T19:10:10.167

1@Nikolay, now I'm so tempted to ask it on cooking.se... – Joe – 2014-04-08T21:30:51.477

Answers

7

You should:

  • Update your system to the latest OpenSSL version
  • Generate new keys and certificates for services relying on OpenSSL and restart them
  • Revoke former certificates
  • Invalidate all established sessions

Executifs

Posted 2014-04-08T15:34:06.287

Reputation: 249

I don’t suppose you know of some nice clear instructions for the last three steps, do you? – Paul D. Waite – 2014-04-08T17:28:56.143

Revoking and regenerating production certificates usually involves whichever process your CA has in place. Since that varies from one CA to the next... – Roger Lipscombe – 2014-04-08T17:50:27.650

How to update your system depends on your package manager. Invalidating sessions is application-dependent. As for certificates, you'll have to contact your CA but the first step should be to generate a new key and CSR: openssl req -nodes -newkey rsa:4096 -keyout post_heartbleed.key -out post_heartbleed.csr! – Executifs – 2014-04-09T08:14:24.503

4

Stolen from a reddit comment.

  1. Update your system:

    sudo apt-get update
sudo apt-get upgrade

  2. Reboot the server

  3. openssl version -a to make sure you have the latest version!!

Matt Cruikshank

Posted 2014-04-08T15:34:06.287

Reputation: 239

The OP delivers! – I am John Galt – 2014-04-08T17:12:04.960

1@IamJohnGalt It's not like it's a locked safe or something. ;) – Ƭᴇcʜιᴇ007 – 2014-04-08T17:28:52.973

14This is not sufficient. The SSL keys need to be replaced, without doing that a patch will still leave you vulnerable to past key theft. – Kyeotic – 2014-04-08T17:47:26.143

This assumes your system uses apt-get as your package manager. The question does not suggest this is necessarily the case. – Michael – 2014-04-09T17:12:10.907

0

More specifically for Ubuntu or Debian in general

/etc/init.d/apache2 stop
aptitude update
dpkg -l \*libssl\*
aptitude safe-upgrade libssl1.0.0
dpkg -l \*libssl\*
/etc/init.d/apache2 start

Ref http://www.ubuntu.com/usn/usn-2165-1/

rleir

Posted 2014-04-08T15:34:06.287

Reputation: 113

Asked: 2014-04-08T15:34:06.287

Viewed: 1 291 times

Active: 2014-04-09T19:00:58.413