|Welcome Guest! Login|
Heartbleed bug: security breach discovered in OpenSSL
On 8 April 2014, a security breach was discovered in the latest version of OpenSSL (1.0.1), making it possible for attackers to acquire both encrypted information and the encryption key. OpenSSL is mostly used on Linux servers in combination with for instance Apache (web server software). This opens up a lot of web servers to this vulnerability.
There is an error in the OpenSSL implementation of the TLDS/DTLS heartbeat extension (RFC6520). By abusing this breach, an attacker can read the memory of a server. The error was introduced in OpenSSL in December 2011. This means that almost all recent versions and distributions of Linux are vulnerable.
Which versions are vulnerable?
All of the OpenSSL 1.0.1 versions up to and including 1.0.1f are vulnerable. The latest version, OpenSSL 1.0.1g, contains the solution to this problem. Earlier versions of OpenSSL (for instance, 0.9.8 or 1.0.0) do not contain the breach. Software based on OpenSSL could also contain the vulnerability.
What should I do if I am using a vulnerable version of OpenSSL?
OpenSSL needs to be patched by an update first. If your distributor does not have any recent updates available, you can manually compile OpenSSL with – DOPENSSL_NO_HEARTBEATS.
Because the vulnerability allows attackers to acquire your private keys it is recommended to generate new private keys and to reissue the certificate. Please use the “reissue” option in our portal. After the reissue, the old certificates will automatically be revoked.
How can I see if my server is still vulnerable?
Our SiteCheck has been adjusted to also show whether a server is vulnerable or has been updated successfully. You can access the SiteCheck by clicking here.
What does Networking4all do?
You can request reissues through our portal. We are currently working at full capacity in order to handle all reissues as fast as possible.