I see in the news about the “Heartbleed” security bug. As an end user, do I need to do anything about it?
Asked
Active
Viewed 1,513 times
3 Answers
7
Yes!
- Know and let others know that all information might have been revealed that was encrypted only by HTTPS for many web servers around the world.
- You should contact your service providers and confirm that they have plans or have already taken the necessary steps to correct the vulnerability (presuming they were susceptible to it). This especially includes banks, financial institutions and other services that hold your most valuable and sensitive information. Until they have confirmed that they have applied the corrections, the information that they make available to you via HTTPS remains vulnerable.
- Your service providers might disable your previous passwords or otherwise require you to change them, but, if they don’t, change your passwords after they have applied the corrections.
You can find basic information at http://heartbleed.com/
More technical information is available from:
For those who aren’t end users, see this question on serverfault:
0
As a Linux user, I had OpenSSL 1.0.1e installed on my Debian 7.0 (wheezy) install.
To fix it, I did this:
apt-get update
apt-get upgrade openssl
This re-installs OpenSSL and replaces it with 1.0.1e-2, the fixed OpenSSL for Debian Wheezy.
The major issue is really on the server side, but it is a good idea to upgrade your client OpenSSL if it's installed, just to be sure. See Debian Security Advisory, DSA-2896-1 openssl -- security update for further information.
Peter Mortensen
- 12,326
0
You should also upgrade your TLS/SSL clients that use OpenSSL as soon as fixed version is available. Particularly FTPS (FTP over TLS/SSL) clients.
Fortunately an exploit of the vulnerability in clients is less probable than in servers.
See also:
Martin Prikryl
- 24,007