Apr 11, 2014, 3:00pm -0700
Apr 11, 2014, 3:00pm -0700
Heartbleeding OpenSSL Checklist
This article was originally posted on Space Monkey’s
So, you’re a company that uses SSL and just found out about the
“Heartbleed OpenSSL bug” (if you are instead a
Space Monkey customer and want to know more about how this affects you, please
see this blog post).
Did you (in order):
- Patch and/or upgrade all of your OpenSSL-using services including any
client software you might ship (clients are vulnerable too)?
- Download and use a vulnerability detector
or use the excellent Qualys SSL Labs server tester
to make sure your services are no longer vulnerable to future incursions?
- Reissue new private keys and certificates to all of your OpenSSL-using
- Revoke your old certificates?
- Enable forward secrecy?
(Don’t expect to be able to enable forward secrecy for every possible
browser. Cipher suites are a diverse and tricky thing.)
- Do a quick sanity check on forward secrecy with the
Qualys SSL Labs server tester?
(If you’re a user and want to check out other websites too, it’s a great
- Invalidate all user sessions?
- Tell users it is now safe and recommended to change their passwords? It
doesn’t make any sense for users to change their passwords (and they are
being told to en masse) until you patch your holes. (As a user, make sure
to use a vulnerability detector prior to changing your password.)
- Invalidate any other secret or private data that you can that was
accessible by or transferred through the process doing SSL termination?
- Do all of the above in the right order?
- Make sure to change your passwords with external services?
- Donate money or resources to OpenSSL?
Why you should donate to OpenSSL
As Matthew Green pointed out,
OpenSSL (and other cryptographic libraries) should really be considered
Critical Infrastructure. OpenSSL
is developed by a very dedicated but woefully underfunded team, even though
two-thirds of the Internet rely on it.
Many people have called for OpenSSL’s metaphorical head due to this fiasco.
The pragmatic truth is tons of systems rely on OpenSSL that frankly aren’t
going to be able to migrate to something else anytime soon. As a result, one
of the best things we can do to help Internet security and safety in general
is to help OpenSSL get better audited. As
Dan Kaminsky wrote, we need
to dedicate genuine resources to supporting critical code.
Like two-thirds of the Internet, we rely on OpenSSL heavily. Recent news
reports suggest that OpenSSL received a grand total of $841 in donations
since the heartbleed bug was dropped on the Internet at large. This is tragic.
We’re donating, and you should, too.
We need OpenSSL to be safe, so we’re donating $1000 to the OpenSSL project.
Are you donating?
Let’s work together to end this era of underfunding crucial Internet