Security Alert: OpenSSL 1.0.1 Vulnerability (CVE-2014-0160) «Heartbleed» Announced

Yesterday, a new vulnerability (CVE-2014-0160), aka Heartbleed, was announced in OpenSSL 1.0.1 that allows an attacker to reveal memory areas of an affected server.

Security Alert: OpenSSL 1.0.1 Vulnerability (CVE-2014-0160) «Heartbleed» Announced

(Illustration: Alessandra Angelucci)

While the attacker cannot control the location of the revealed memory contents, by exploiting the vulnerability repeatedly, it might still be possible for a malicous party to extract sensitive data such as active session cookies, login credentials, or, worst of all, private SSL keys, which then allow to decrypt any past and future communication between the exploited server and its clients. The exploit is very hard to detect as it uses standard SSL mechanisms that are not usually logged.

The most pressing action to be taken is to update any affected host to the latest OpenSSL version. As there is a possibility that the host's SSL private keys have already been compromised, it is recommended to revoke all existing SSL certificates and regenerate them with new private keys. Depending on the nature of the hosted content, it might also be advisable to reset any active sessions and require users to reset their password.

Further information can be found here or here.

There exists a number of online tools to check a host's vulnerability, e.g. filippo.io/Heartbleed. However, only checking the server's OpenSSL version can reliably determine whether or not a host is affected.

Update, April 15, 2014:

Now that things have calmed down a little, you might ask yourself: Now what? At this point, any relevant web services should have fixed the vulnerability at their end. Here's a tool to check if your favorite website still is affected – If a host by now still is vulnerable, you might wanna think hard about trusting it with any of your data.

For any sites that you consider relevant security-wise AND that isn't vulnerable any longer, it's the perfect time to change your password now. If the site offers some sort of two-factor authentication using your cellular phone or key token, please do use it from now on!

This might be a good moment to re-evaluate your password strategy. My suggestion: if you do not use a password manager so far, start using one. Now. Apps such as 1Password, LastPass or Apple's own iCloud-enabled Keychain help you to generate and use strong and unique passwords on every site you use with virtually no loss of conveniece. Good thing is: Most of these apps also support syncing of passwords between devices, so you don't have to worry about not being able to access your favorite sites on your tablet or smart phone. In other words, there really are no downsides to this.