Skip the navigation

Website admins will be busy dealing with Heartbleed

Patching the vulnerable OpenSSL software is only the first step, security experts say

By Lucian Constantin
April 10, 2014 05:25 PM ET

IDG News Service - Website and server administrators will have to spend considerable time, effort and money to mitigate all the security risks associated with Heartbleed, one of the most severe vulnerabilities to endanger encrypted SSL communications in recent years.

The flaw, which was publicly revealed Monday, is not the result of a cryptographic weakness in the widely used TLS (Transport Layer Security) or SSL (Secure Sockets Layer) communication protocols, but stems from a rather mundane programming error in a popular SSL/TLS library called OpenSSL that's used by various operating systems, Web server software, browsers, mobile applications and even hardware appliances and embedded systems.

See related story: What you as an end user need to do about Heartbleed

Attackers can exploit the vulnerability to force servers that use OpenSSL versions 1.0.1 through 1.0.1f to expose information from their private memory space. That information can include confidential data like passwords, TLS session keys and long-term server private keys that allow decrypting past and future SSL traffic captured from the server.

At first glance, dealing with this problem appears to be easy: update OpenSSL to the patched versions that should now be available for most operating systems and it's done. However, taking into consideration the possibility that the flaw might have been exploited by attackers by the time a particular server was patched and that its secret TLS keys might have been compromised, things are suddenly more complicated.

The first thing website owners should do is determine who is responsible for maintaining the OpenSSL software on the servers that host their sites.

"If it is a dedicated server, it is your responsibility," researchers from Web security firm Sucuri said in a blog post. "If you are on a shared hosting platform, contact your hosting provider to remind them to update their servers."

Once the OpenSSL installation is patched on the server and attacks are no longer possible, it's time to obtain a new SSL certificate and revoke the old one to ensure that any private key information attackers might have obtained though the flaw won't allow them to decrypt traffic in the future.

"The recommendation is for server operators to revoke and re-issue their certificates, since theres a possibility that secret keys may have been stolen," said Matthew Green, a cryptographer and assistant research professor at the Johns Hopkins University Information Security Institute in Baltimore, via email. "The problem is that this takes time and money. I wouldnt be surprised if many server operators skip this step."

Website owners should check with the certificate authorities (CAs) that issued their existing SSL certificates about any potential costs involved in re-keying and re-issuing those certificates.

Reprinted with permission from IDG.net. Story copyright 2014 International Data Group. All rights reserved.
Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!