10

I see in the news about the “Heartbleed” security bug. As an end user, do I need to do anything about it?

bwDraco
  • 45,747
  • 43
  • 165
  • 205
danorton
  • 692
  • 1
  • 5
  • 17
  • 1
    It shows a lack of research the problem is with OpenSSL which is server side clearly. – Ramhound Apr 08 '14 at 19:26
  • 4
    @Ramhound Could you provide a reference for that? Client applications can link to the OpenSSL library to provide SSL/TLS related functionality (see e.g. [this](http://www.visualsvn.com/support/topic/00056/)). Also, from heartbleed.com (bold highlight mine): "*When it is exploited it leads to the leak of memory contents from the server to the client and **from the client to the server.***" – Daniel Beck Apr 08 '14 at 20:28
  • @DanielBeck, Ramhound downvoted the question. Anyone can add a “no” answer. (I haven't even selected an answer, yet.) – danorton Apr 08 '14 at 20:31
  • While the leak can happen on both ends a malicious hacker isn't going to attack the client side. I stand by my statement about the lack of research though. Furthermore Apache was the target from what I read – Ramhound Apr 08 '14 at 21:06
  • As I mention in my self-answer, below, if you’re interested in the server vulnerabilities (and the possibilities of client-side data that has possibly been exposed via those vectors), I recommend reviewing this Q&A at serverfault: http://serverfault.com/questions/587329/heartbleed-what-is-it-and-what-are-options-to-mitigate-it – danorton Apr 08 '14 at 21:16
  • 1
    @Ramhound you read wrong. _anything_ that links against OpenSSL is the target. now, that includes Apache. but it is by no means limited to Apache. and besides, I _still_ don't understand how you think this isn't properly researched. besides, you've just fallen prey to one of the minor dumbs of the [6 Dumbest Ideas in Computer Security](http://www.ranum.com/security/computer_security/editorials/dumb/) - "we're not a target" isn't an argument. – strugee Apr 09 '14 at 07:04

3 Answers3

7

Yes!

  1. Know and let others know that all information might have been revealed that was encrypted only by HTTPS for many web servers around the world.
  2. You should contact your service providers and confirm that they have plans or have already taken the necessary steps to correct the vulnerability (presuming they were susceptible to it). This especially includes banks, financial institutions and other services that hold your most valuable and sensitive information. Until they have confirmed that they have applied the corrections, the information that they make available to you via HTTPS remains vulnerable.
  3. Your service providers might disable your previous passwords or otherwise require you to change them, but, if they don’t, change your passwords after they have applied the corrections.

You can find basic information at http://heartbleed.com/

More technical information is available from:

For those who aren’t end users, see this question on serverfault:

Community
  • 1
danorton
  • 692
  • 1
  • 5
  • 17
  • As a linux end user, I have OpenSSH 1.0.1e installed in my laptop (Debian Wheezy). Do I still have nothing to worry about? –  Apr 09 '14 at 06:19
  • @StaceyAnne OpenSSH isn't affected, OpenSSL is. was that a typo? – strugee Apr 09 '14 at 07:02
  • yep, it was a typo. –  Apr 09 '14 at 07:22
  • `You should contact your service providers and confirm that they have plans or have already taken the necessary steps to correct the vulnerability` I assume by *service providers* you mean the websites and not ISPs right? – Synetech Apr 10 '14 at 17:28
  • @Synetech, goog point, but the wording is awkward. You can't contact a "website". I wonder what better term might go there. – danorton Apr 12 '14 at 21:00
  • `You can't contact a "website".` I don’t understand what you mean, most websites have a *Contact [us]* link at the bottom of the page, especially professional companies like banks and such. – Synetech Apr 12 '14 at 22:32
  • Many do, many don't, but you don't contact a website any more than you contact an office building. You contact the business. – danorton Apr 14 '14 at 03:41
0

As a Linux user, I had OpenSSL 1.0.1e installed on my Debian 7.0 (wheezy) install.

To fix it, I did this:

apt-get update
apt-get upgrade openssl

This re-installs OpenSSL and replaces it with 1.0.1e-2, the fixed OpenSSL for Debian Wheezy.

The major issue is really on the server side, but it is a good idea to upgrade your client OpenSSL if it's installed, just to be sure. See Debian Security Advisory, DSA-2896-1 openssl -- security update for further information.

Peter Mortensen
  • 12,090
  • 23
  • 70
  • 90
0

You should also upgrade your TLS/SSL clients that use OpenSSL as soon as fixed version is available. Particularly FTPS (FTP over TLS/SSL) clients.

Fortunately an exploit of the vulnerability in clients is less probable than in servers.

See also:

Community
  • 1
Martin Prikryl
  • 21,071
  • 9
  • 77
  • 157