“Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet’s Transport Layer Security (TLS) protocol. This vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension”
So what can I do to protect myself?
First thing to do is test. Test you SSL enabled servers for the existence of this bug, there are lots of test surfacing around the web, here are a few I like:
- HeartBleed Test – McAfee True Intelligence Feed (Beta)
- LastPass – LastPass Heartbleed checker
- Qualys SSL Labs – Projects / SSL Server Test
- Oh and this guy
I have servers that are vulnerable?
It happens and that’s fine; what you now need to do is update your infrastructure. So if you have Linux web servers that are older; simply updating them will do the trick. I had a few test systems and for me that was all I needed to do.
Stay up to date and patched is always the best protection; if you have customers / clients who have been using your servers; inform them to change their passwords to be safe.
What if I am a customer of a service found to be vulnerable?
They should have contacted you by now, informing you of HeartBleed and instructed you to possibly change your password and some services use two-factor authentication which helps you been a bit more secure.
Best of luck to you and be safe out there folks.
Oh and Xkcd succinctly explains how the Heartbleed bug works: