Apr 9, 2014

OpenSSL Heartbleed Vulnerability Explained
& Tips for Protection

In today’s Whiteboard Wednesday, Trey Ford, Global Security Strategist at Rapid7, will talk about the OpenSSL vulnerability called Heartbleed.

Trey will give some background information around the Heartbleed vulnerability, will discuss what is affected by this vulnerability, and will tell you how you can fix this problem in your environment.

Watch this whiteboard video for more information around the OpenSSL vulnerability “Heartbleed” and learn how you can protect yourself and your organization from this security flaw.

Read Video Transcript

Hi I'm Trey Ford, Global Security Strategist of Rapid7. This week's Whiteboard Wednesday is on Heartbleed and SSL Trust.

So Heartbleed is an attack focused on SSL. Before we dive in to the attack and what that means let's talk a little bit about SSL.

SSL at the highest level provides two services for the internet service. One, this notion of authenticity. How do you know if you're connecting to the real Google, Yahoo, Ebay, Amazon? An external entity provides a certificate. A Certificate Authority provides the certificate to an organization to prove, to certify, "I'm the website you want to interact with." So when you come to Amazon or Ebay, you know exactly who you're talking to. Number two, this key infrastructure provides service for a secure transport for secure and private communications. So when you're sending emails, when you're chatting, you're uploading your credit card number for purchases, you don't want that information to be seen or accessed by third parties. So this gives a very private line of communication between you and the server.

So Heartbleed uses these same communication mechanisms. This vulnerability allows attackers to pull segments of memory from the server they're interacting with which compromises the integrity. It allows them to pull passwords, sessions stayed, cookies, as well as private key material. What that ultimately means is that they're going to gain the ability to either login as users, hijack user's sessions, or masquerade as the user or server itself.

So what's affected what's in scope? OpenSSL is used on roughly two-thirds of the internet. This is a really big event. This is going to affect web servers, mail servers, chat, some VPN systems, and database servers. What this means is there's going to be a lack of confidence, not only now, in what servers you're connecting with but what users are now connecting with your servers.

So how do we fix this? How do we address the problem? First, you have to get patched. OpenSSL version 1.0.1 was affected all the way through the current release that came out on Monday, April 7th. The original release date was March 24 of 2012. So over the last two years or more we've been seeing this particular suite of libraries being fed in to enterprise services, mail services, everything you're going to see. So this is really broad. Go find out where all of these run and get it updated. Number two, reach out to your certificate authority, get a new certificate generated. You need a new certificate, use that to generate a strong, new SSL key and get that deployed to all the servers that need it. Next step is to go back and clean up what we know is compromised. What we no longer have faith isn't compromised.

I forgot to mention that this attack doesn't leave any trace. You do not know what has been compromised or what's gone. You can't prove that it was done. So the good hygiene, the safest route is to get this replaced. You want to invalidate the old certificate. Place it on a Certificate Revocation List. When you notify the CA that you're invalidating the certificate this is going to get pushed out to browsers. Finally, you want to invalidate old sessions. So the cookies and the sessions may still be alive. You need to tear those down and you need to consider, and this is a user experience question, but you need to consider forcing a password change. For those of you that feel obligated to go rotate your password, I would probably wait a couple days, wait for the bumps to settle down. The internet's going to be a little rocky for a little bit while this gets patched. After a couple days have gone by you're probably safe to go out but I would recommend your friends and family go out and rotate your passwords.

Finally, this is probably the biggest event every in terms of certificate generation and certificate revocation, taking that off, making those certificates flagged as unsafe to use. What that means out in browser land, I think, we're going to have a lot of discussion about that later.

Thanks for tuning in, we'll talk to you next week.

Protecting Yourself from Heartbleed

A free resource guide to help protect your organization

Learn More
Whiteboard Wednesdays Logo

Subscribe to our weekly
Whiteboard Wednesday videos