From Wikipedia

“Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet’s Transport Layer Security (TLS) protocol. This vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension”

So what can I do to protect myself?

First thing to do is test. Test you SSL enabled servers for the existence of this bug, there are lots of test surfacing around the web, here are a few I like:

  1. HeartBleed Test – McAfee True Intelligence Feed (Beta)
  2. LastPass – LastPass Heartbleed checker
  3. Qualys SSL Labs – Projects / SSL Server Test
  4. Oh and this guy

I have servers that are vulnerable?

It happens and that’s fine; what you now need to do is update your infrastructure. So if you have Linux web servers that are older; simply updating them will do the trick.  I had a few test systems and for me that was all I needed to do.

Stay up to date and patched is always the best protection; if you have customers / clients who have been using your servers; inform them to change their passwords to be safe.

What if I am a customer of a service found to be vulnerable?

They should have contacted you by now, informing you of HeartBleed and instructed you to possibly change your password and some services use two-factor authentication which helps you been a bit more secure.

Best of luck to you and be safe out there folks.

More info at following site: The Heartbleed Bug by Codenomicon

Oh and Xkcd succinctly explains how the Heartbleed bug works: