Website operators will have a hard time dealing with the Heartbleed vulnerability

Patching the vulnerable OpenSSL software is just the first step, security experts say

Website and server administrators will have to spend considerable time, effort and money to mitigate all the security risks associated with Heartbleed, one of the most severe vulnerabilities to endanger encrypted SSL communications in recent years.

The flaw, which was publicly revealed Monday, is not the result of a cryptographic weakness in the widely used TLS (Transport Layer Security) or SSL (Secure Sockets Layer) communication protocols, but stems from a rather mundane programming error in a popular SSL/TLS library called OpenSSL that's used by various operating systems, Web server software, browsers, mobile applications and even hardware appliances and embedded systems.

Attackers can exploit the vulnerability to force servers that use OpenSSL versions 1.0.1 through 1.0.1f to expose information from their private memory space. That information can include confidential data like passwords, TLS session keys and long-term server private keys that allow decrypting past and future SSL traffic captured from the server.

At first glance, dealing with this problem appears to be easy: update OpenSSL to the patched versions that should now be available for most operating systems and it's done. However, taking into consideration the possibility that the flaw might have been exploited by attackers by the time a particular server was patched and that its secret TLS keys might have been compromised, things are suddenly more complicated.

The first thing website owners should do is determine who is responsible for maintaining the OpenSSL software on the servers that host their sites.

"If it is a dedicated server, it is your responsibility," researchers from Web security firm Sucuri said in a blog post. "If you are on a shared hosting platform, contact your hosting provider to remind them to update their servers."

Once the OpenSSL installation is patched on the server and attacks are no longer possible, it's time to obtain a new SSL certificate and revoke the old one to ensure that any private key information attackers might have obtained though the flaw won't allow them to decrypt traffic in the future.

"The recommendation is for server operators to revoke and re-issue their certificates, since theres a possibility that secret keys may have been stolen," said Matthew Green, a cryptographer and assistant research professor at the Johns Hopkins University Information Security Institute in Baltimore, via email. "The problem is that this takes time and money. I wouldnt be surprised if many server operators skip this step."

Website owners should check with the certificate authorities (CAs) that issued their existing SSL certificates about any potential costs involved in re-keying and re-issuing those certificates.

"The Trustwave SSL Services Platform has always included free certificate reissues for the life of the certificate; we have never charged for people to rekey and replace their certificates," said Brian Trzupek, vice president of managed identity and SSL at Trustwave, a large certificate authority, via email. "In this particular instance with the Heart Bleed vulnerability to OpenSSL we have already had a large volume of customers employ the free self-service reissuance features within our SSL portal to help remediate the Heart Bleed issues with their SSL certificate."

Symantec, which operates one of the largest CAs since acquiring VeriSign's SSL business in 2010, said that it has taken the necessary steps to patch its systems that used affected versions of OpenSSL. "We are following best practices and have re-keyed all certificates on web servers that used affected versions of OpenSSL," the company said via email. "While there was never an issue with Symantec Certificates, to address the OpenSSL bug we will be offering replacements free of charge for our existing customers and the old certificates will be revoked."

Dealing with this OpenSSL vulnerability might also be a good opportunity for website and server administrators to review their SSL/TLS configurations and make sure they're up to modern standards.

"Since you have to touch your server configuration and create new SSL certificates, we would recommend that you also go through certificate generation settings and server configuration," researchers from antivirus firm F-Secure said in a blog post. "Heartbleed is not the only problem in SSL/TLS implementations, a poorly chosen protocol or weak cipher can be just as dangerous as the Heartbleed bug."

The Open Web Application Security Project's (OWASP) Transport Layer Protection Cheat Sheet and the SSL/TLS Deployment Best Practices by Qualys SSL Labs might serve as good starting points.

It might also be a good time to consider configuring TLS with Perfect Forward Secrecy (PFS), a property of DiffieHellman key agreement protocols -- DHE and ECDHE -- that are already in use on some large websites, including Google. PFS makes decrypting previously captured TLS traffic impossible even if the server's private key is compromised and Heartbleed did not affect servers that had TLS configured for PFS.

"One of the strongest protections you can have against TLS vulnerabilities is Perfect Forward Secrecy," said David Grant, systems administrator at advocacy group Electronic Frontier Foundation, in a blog post. "This is not simple to configure, and does not yet have global browser support. However, it is the encryption technology that provides the best defense against attacks with the potential to steal your private key and use it to decrypt your traffic."

Ivan Ristic, who runs the SSL Labs at Qualys, provided instructions on how to configure Apache, Nginx and OpenSSL with forward secrecy in a blog post in August.

"At this moment, forward secrecy is more crucial than ever," said Yan Zhu, a staff technologist at the Electronic Frontier Foundation, in a recent blog post in which he makes the case for wider PFS adoption on the Web. "Now that the details of Heartbleed are public, anyone can use it against servers that haven't yet patched the OpenSSL bug and changed SSL certificates. It can easily take weeks or months for developers to deploy new SSL certificates, and even so, certificate revocation systems are unreliable and poorly-suited to the modern web. In the meantime, any data you send now to affected servers that don't support forward secrecy will be open to eavesdropping and malicious tampering as soon as their SSL private keys are exposed."

Because the Heartbleed vulnerability can also be used to steal passwords from the server's memory, website administrators should assess and consider what categories of passwords should be changed as a precaution. In some cases it might be wise to force or at least advise all users to change their passwords.

In addition to resetting passwords, it might also be a good idea to invalidate all cross-site request forgery (CSRF) and OAUTH tokens, as well as session cookies. If stolen from the server memory or from decrypted traffic, such tokens could be used to gain unauthorized access to user accounts on the affected site.

Finally, it's also important for administrators to look at their whole Web infrastructure and not just individual Web servers when assessing the impact of this vulnerability.

For example, even if a Web server runs as IIS (Internet Information Services) on Windows and is not affected by this flaw because IIS doesn't use OpenSSL, there might be an Nginx server with OpenSSL running as a load balancer for encrypted traffic or as a reverse proxy in front of that IIS server, said Troy Hunt, a software architect and Microsoft's MVP, in a blog post.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityprivacypatch managementsymanteconline safetytrustwavequalyspkipatchesElectronic Frontier FoundationExploits / vulnerabilitiesSucuri

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?