Apr 29, 2014

How To Beat Heartbleed

If you watch the news, or logged into your online banking account you've no doubt heard about the Heartbleed bug that affects anything that uses OpenSSL 1.0.1 through 1.0.1f, as well as 1.0.2beta (CVE-2014-0160). Sadly, since much of the web uses Apache for web servers with OpenSSL, a lot of websites are affected by this.

If you haven't heard about Heartbleed according to US-Cert.gov it is:

A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.
At my company we work with a lot of banks, and because of this vulnerability they are all literally shitting bricks over it. I'm getting questionnairres from them every day asking if we are patching our systems.

Well, the truth is none of our sites are vulnerable. Why is that? Well because we are either using Microsoft IIS for web servers which don't use OpenSSL, or we are using GnuTLS on our Linux webservers. Again, GnuTLS is not vulnerable.

So if you want to beat Heartbleed and you are currently using Microsoft IIS, don't worry, you are fine. If you are using Apache, you might want to get rid of OpenSSL and switch to GnuTLS. I wrote about how to do that on Ubuntu here: (How to upgrade to GnuTLS in Ubuntu).

You can test your sites quickly against Heartbleed at SSLLabs.com.

Good luck!
Enhanced by Zemanta

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam