On April 7, 2014, a bug in the OpenSSL software library was announced by the OpenSSL organization. This bug, called Heartbleed, impacts versions 1.0.1 through 1.0.1f of OpenSSL.Heartbleed is not an SSL bug or flaw with the SSL/TLS protocol — it's a bug in OpenSSL’s implementation of SSL/TLS which servers rely on to create secured connections online.
Heartbleed affects nearly two-thirds of servers on the Internet. Chances are you administer a server affected by the Heartbleed bug or have received an email notification to update passwords because of the effect of Heartbleed.
According to the Heartbleed website hosted by Codenomicon, whose engineers were among those who discovered Heartbleed:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
A few things that set Heartbleed apart from other bugs are:
The versions of OpenSSL that are vulnerable to Heartbleed are 1.0.1 through 1.0.1f, and 1.0.2-beta1. The 1.0.0 branch and earlier were not vulnerable, and the 1.0.1g version released yesterday fixes the vulnerability. (Version 1.0.2-beta2 will include the fix.)
If your servers do not use version 1.0.1 through 1.0.1f or 1.0.2-beta1 of OpenSSL, or if they are compiled without the heartbeat extension, they are not vulnerable to Heartbleed.
Microsoft-based platforms, not utilizing OpenSSL are unaffected by Heartbleed. Java along with many other servers and network devices not use OpenSSL. Although some devices can still rely on OpenSSL, so it's best to contact your device manufacturer or the DigiCert 24/7 Technical Support team to verify if you're vulnerable to Heartbleed. If you are using keystores and truststores, you most likely are using JSSE rather than OpenSSL and are not vulnerable to Heartbleed.
If you're unsure whether a site you administer or use is vulnerable, you can use the DigiCert Certificate Checker tool for free on by going to digicert.com/help. The DigiCert Certificate Checker allows users to check the security for any site on the Internet using an SSL Certificates from any Certificate Provider.
Although there are no documented cases of Heartbleed being exploited to date, because the attack is undetectable, it is impossible to say that no attempt has been made. Compromised data has yet to be linked to Heartbleed, but if your server is running a version of OpenSSL between 1.0.1 and 1.0.1f with the heartbeat extension enabled, you are potentially vulnerable to Heartbleed and should take the steps below to address it.
If you have any question as to whether you are vulnerable, the latest version of DigiCert’s free Certificate Inspector has added Heartbleed to the lengthy list of vulnerabilities it can detect. To learn more and get access to this tool, visit https://www.digicert.com/heartbleed-bug-vulnerability.htm.
If you are vulnerable to Heartbleed, there are two steps you need to take:
The order of these steps is very important — it's critical that you stop the bleeding before addressing the possible damage — but both steps need to be done as quickly as possible.
There are two three (see update below) options for updating your server. You can either update to OpenSSL version 1.0.1g, or you can recompile your existing version of OpenSSL with
-DOPENSSL_NO_HEARTBEATS. Neither option is inherently better than the other; different dependencies and situations call for different solutions. But you should take one of these actions immediately.
The first step, whether you are a DigiCert customer or not, is to create a new key pair and Certificate Signing Request. DigiCert has a very useful free tool to quickly create CSR creation commands. The last thing you want to do when quickly trying to address Heartbleed is fumble with complicated shell commands. The DigiCert Easy CSR for Apache and Exchange CSR Command Generator make it easy to re-key or create a new a new SSL Certificate. These tools are available to anyone, whether using DigiCert or another SSL Certificate provider.
If you are a DigiCert customer, re-keying is always free, easy, and nearly instantaneous. Here are the steps:
You will need to re-key every certificate that has been on a vulnerable server.
Now that Heartbleed has been made public, if you use one of the affected versions of OpenSSL, it is important that you address the issue.
The DigiCert team is always available 24/7 to provide any assistance you may need in re-keying your DigiCert certificates or answer any questions about Heartbleed. As a DigiCert policy, any SSL user, whether a DigiCert customer or not, can call, email, or live chat with us by visiting our Contact page at http://www.digicert.com/contact-digicert-inc.htm.