Super User
Super User

Questions tagged [heartbleed]

Security vulnerability in OpenSSL allowing an attacker to obtain SSL keys, passwords, and other secure data from a server or client

Heartbleed (CVE-2014-0160) is a major security vulnerability in the OpenSSL library which allows an attacker to obtain the memory contents of a server or client using the OpenSSL library for securing its transport. This data may include SSL private keys, passwords, and web pages that were recently served or visited, thereby defeating the security provided by SSL. The vulnerability affected a large portion of websites which provide HTTPS support, including Yahoo! and Imgur.

Not only webservers are vulnerable, other services using OpenSSL for transport security are affected, for example mail servers (SMTP, IMAP, POP3) and VPN servers (OpenVPN) are also affected.

The vulnerability was patched in an update released on April 7, 2014 according to the OpenSSL Security advisory. Many websites have quickly patched the update, but the vulnerability has been present for more than two years and may have been exploited before it was announced. More information about the Heartbleed vulnerability is available at http://heartbleed.com/.

24 questions
118
votes
7 answers

How to use the Internet while Heartbleed is being fixed?

There are many websites who are not currently vulnerable, but I have no idea if they were vulnerable a few days ago. For example: twitter.com: Not vulnerable right now, but the certificate is from Wed Mar 05 00:00:00 UTC 2014 google.com: Not…
user148324
88
votes
12 answers

What's an efficient way to change my 200+ account passwords?

I have a lot of online accounts, web services, and so on -- personal as well as business -- so obviously(?) I use a password manager to handle them all. Specifically I use Lastpass but my question applies to any and all: Given the Heartbleed problem…
Torben Gundtofte-Bruun
  • 18,646
40
votes
2 answers

Does Heartbleed affect ssh keys?

Does the recent Heartbleed bug affect the ssh keys I've generated and use to push/pull code with Github, Heroku, and other similar sites? Do I need to replace the keys I've been using?
LikeMaBell
  • 503
10
votes
3 answers

Do end users need to do anything about the Heartbleed security bug? What?

I see in the news about the “Heartbleed” security bug. As an end user, do I need to do anything about it?
danorton
  • 702
9
votes
3 answers

What should I do about the Heartbleed bug for the sites I run?

The recently announced Heartbleed bug in OpenSSL affects many sites (70% of the internet). There's a website: http://www.heartbleed.com There's a web-based test: http://filippo.io/Heartbleed/ What should I do to protect the sites that I run?
Matt Cruikshank
  • 239
7
votes
2 answers

Heartbleed "Unexpected message"

I have a task to verify our company's software patch which addresses Heartbleed attack. Now, I am certain that version of software I am trying to exploit uses 1.0.1e OpenSSL library, which should be vulnerable. However, I have tried out multiple…
Jovan Perovic
  • 73
6
votes
4 answers

apt-get upgrade openssl won't bring Ubuntu 12.04 to latest version

I've tried the following, but I can't get a build date later than: Tue, Aug 21 05:18:46 UTC 2012 I have done the following: apt-get dist-upgrade apt-get update apt-get upgrade openssl and apt-get purge openssl apt-get install openssl and apt-get…
user1182988
  • 162
4
votes
2 answers

How do I distinguish between these two certificate situations?

Situation 1 (safe): Website was vulnerable to heartbleed and using a certificate not valid before 2012-10-21 Website upgraded to an unvulnerable version of OpenSSL Website re-keyed and got a their certificate reissued, with with same…
user148324
3
votes
1 answer

Does Heartbleed Bug in OpenSSL affect ALL SSL certs

Does the Heartbleed Bug in OpenSSL affect ALL SSL certs, regardless of where I purchased or if I self-cert? For example, if I bought an SSL certificate from GoDaddy and set this up on my server following their Apache tutorial…
bwright
  • 153
2
votes
1 answer

Tool/Procedure to Evaluate Whether Each Site in a Password Manager (e.g., KeePass, LastPass, Dashlane) is ready for a new password (post Heartbleed)?

Sites need to be remediated for the Heartbleed exploit before a password is updated. Some sites will be remediated immediately but others may not be updated for months. Lots of us have many dozens to several hundred sites in a password manager…
BillR
  • 511
  • 2
  • 10
2
votes
1 answer

Which versions of the Windows TLS/SSL file transfer software like WinSCP and FileZilla are not affected by Heartbleed?

I noticed that many people still use versions affected by the heartbleed vulnerability of wide spread TLS/SSL enabled Windows clients like WinSCP and Filezilla. To be able to make safe recommendations, I want to have a list with safe…
mit
  • 1,594
1
vote
1 answer

HeartBleed and Client certificates

Is it true that a server, setup to require a client certificate, cannot suffer from the Heartbleed vulnerability, if that user does not have a client certificate?
Myforwik
  • 11
1
vote
3 answers

Compile Heartbleed.c Tester On CentOS 6.x

I have been looking for days now for a solution to this, basically I am trying to test my network for the heartbleed bug, but I am unable to compile the tester on CentOS 6.x, any ideas or suggestions are greatly appreciated... Link to…
Jeffrey L. Roberts
  • 444
  • 2
  • 6
  • 25
1
vote
2 answers

How to get the OpenSSL version in a Tomcat 6 installation

After reading an article about the Heartbleed security bug, I understand that it is good practice to check the OpenSSL version Apache Tomcat is using. The article contains this sentence: What version of OpenSSL is Tomcat using? This information is…
Ziba Leah
  • 133
  • 1
  • 1
  • 5
1
vote
2 answers

Heartbleed threat: Do I need to change password for websites that I rarely logon?

I've a dozen email accounts, probably a hundred websites and forum accounts and I don't want to go about changing all the passwords. Do I need to change the password of websites that I seldom logon - or the logon is "saved" in the browser cookie?
Joshua Lim
  • 271
1
2