10
3
I see in the news about the “Heartbleed” security bug. As an end user, do I need to do anything about it?
danorton
Posted 2014-04-08T19:09:22.513
Reputation: 556
Do end users need to do anything about the Heartbleed security bug? What?
Answers
7
Yes!
- Know and let others know that all information might have been revealed that was encrypted only by HTTPS for many web servers around the world.
- You should contact your service providers and confirm that they have plans or have already taken the necessary steps to correct the vulnerability (presuming they were susceptible to it). This especially includes banks, financial institutions and other services that hold your most valuable and sensitive information. Until they have confirmed that they have applied the corrections, the information that they make available to you via HTTPS remains vulnerable.
- Your service providers might disable your previous passwords or otherwise require you to change them, but, if they don’t, change your passwords after they have applied the corrections.
You can find basic information at http://heartbleed.com/
More technical information is available from:
For those who aren’t end users, see this question on serverfault:
danorton
Posted 2014-04-08T19:09:22.513
Reputation: 556
As a linux end user, I have OpenSSH 1.0.1e installed in my laptop (Debian Wheezy). Do I still have nothing to worry about? – None – 2014-04-09T06:19:58.580
@StaceyAnne OpenSSH isn't affected, OpenSSL is. was that a typo? – strugee – 2014-04-09T07:02:00.470
yep, it was a typo. – None – 2014-04-09T07:22:50.373
You should contact your service providers and confirm that they have plans or have already taken the necessary steps to correct the vulnerability I assume by service providers you mean the websites and not ISPs right? – Synetech – 2014-04-10T17:28:46.117
@Synetech, goog point, but the wording is awkward. You can't contact a "website". I wonder what better term might go there. – danorton – 2014-04-12T21:00:12.333
You can't contact a "website". I don’t understand what you mean, most websites have a Contact [us] link at the bottom of the page, especially professional companies like banks and such. – Synetech – 2014-04-12T22:32:27.717
Many do, many don't, but you don't contact a website any more than you contact an office building. You contact the business. – danorton – 2014-04-14T03:41:52.953
0
As a Linux user, I had OpenSSL 1.0.1e installed on my Debian 7.0 (wheezy) install.
To fix it, I did this:
apt-get update
apt-get upgrade openssl
This re-installs OpenSSL and replaces it with 1.0.1e-2, the fixed OpenSSL for Debian Wheezy.
The major issue is really on the server side, but it is a good idea to upgrade your client OpenSSL if it's installed, just to be sure. See Debian Security Advisory, DSA-2896-1 openssl -- security update for further information.
0
You should also upgrade your TLS/SSL clients that use OpenSSL as soon as fixed version is available. Particularly FTPS (FTP over TLS/SSL) clients.
Fortunately an exploit of the vulnerability in clients is less probable than in servers.
See also:
Martin Prikryl
Posted 2014-04-08T19:09:22.513
Reputation: 13 764
And people balked when I said I still use Outlook Express 6. Who’s laughing now? :-P – Synetech – 2014-04-10T17:30:33.733
1It shows a lack of research the problem is with OpenSSL which is server side clearly. – Ramhound – 2014-04-08T19:26:26.347
4
@Ramhound Could you provide a reference for that? Client applications can link to the OpenSSL library to provide SSL/TLS related functionality (see e.g. this). Also, from heartbleed.com (bold highlight mine): "*When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.*"
– Daniel Beck – 2014-04-08T20:28:01.687@DanielBeck, Ramhound downvoted the question. Anyone can add a “no” answer. (I haven't even selected an answer, yet.) – danorton – 2014-04-08T20:31:12.117
While the leak can happen on both ends a malicious hacker isn't going to attack the client side. I stand by my statement about the lack of research though. Furthermore Apache was the target from what I read – Ramhound – 2014-04-08T21:06:41.960
As I mention in my self-answer, below, if you’re interested in the server vulnerabilities (and the possibilities of client-side data that has possibly been exposed via those vectors), I recommend reviewing this Q&A at serverfault: http://serverfault.com/questions/587329/heartbleed-what-is-it-and-what-are-options-to-mitigate-it
– danorton – 2014-04-08T21:16:13.8031
@Ramhound you read wrong. anything that links against OpenSSL is the target. now, that includes Apache. but it is by no means limited to Apache. and besides, I still don't understand how you think this isn't properly researched. besides, you've just fallen prey to one of the minor dumbs of the 6 Dumbest Ideas in Computer Security - "we're not a target" isn't an argument.
– strugee – 2014-04-09T07:04:10.327