Should I take any action regarding Heartbleed?

Asked

Viewed 177 times

14

As a developer, I have to take some action regarding the Heartbleed? Being a problem in Openssl, I believe it is more within the scope of webmasters, server administrators, etc. But I’m not sure if that’s all it is (update Openssl and exchange all certificates and passwords) or if you have any more specific actions to take, or some detail we would have to pay attention to.

Contextualizing, for those who are not aware of the problem: a bug in Openssl was recently identified that allowed the attacker to access arbitrary memory regions on the server, all without the need for authentication and without leaving a trace. Certificates, private keys, passwords, personal data, nothing would be safe. It is being described as "the worst security breach in the history of the Internet", "on a scale of 1 to 10, that’s an 11", etc. On the site security.SE, the tag heartbleed, created yesterday (2014-04-08), already has almost 50 questions. All this already gives an idea of the dimensions of this vulnerability, and why it deserves special attention at this time.

2 answers

3


After bug fixing and revoking the compromised certificates I would require a mandatory password exchange of all users on first login. In this last part of the password exchange enter the developer’s work.

  • I am accepting that answer, because in fact it seems that’s all it is. If additional information arises, I review (but for the past time and the progression of events, I believe there will be no news...)

2

The only action required is to test your (s) application(s) with the corrected version of the Openssl library to ensure that they work, so that webmasters and server administrators have no problems updating the library.

  • Most applications do not interact directly with Openssl, because it is something of lower level, but anyway it is a great recommendation! Good to expedite migration, avoid surprises...

  • 1

    Truth @mgibsonbr, usually they interact with the server and Runtime/vm that in turn interact with Openssl, so I prefer to consider the library exchange as a server/Runtime/vm update and act accordingly.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.