Should I take any action regarding Heartbleed?

Question

Should I take any action regarding Heartbleed?

Asked 10 years, 7 months ago

Viewed 177 times

14

As a developer, I have to take some action regarding the Heartbleed? Being a problem in Openssl, I believe it is more within the scope of webmasters, server administrators, etc. But I’m not sure if that’s all it is (update Openssl and exchange all certificates and passwords) or if you have any more specific actions to take, or some detail we would have to pay attention to.

Contextualizing, for those who are not aware of the problem: a bug in Openssl was recently identified that allowed the attacker to access arbitrary memory regions on the server, all without the need for authentication and without leaving a trace. Certificates, private keys, passwords, personal data, nothing would be safe. It is being described as "the worst security breach in the history of the Internet", "on a scale of 1 to 10, that’s an 11", etc. On the site security.SE, the tag heartbleed, created yesterday (2014-04-08), already has almost 50 questions. All this already gives an idea of the dimensions of this vulnerability, and why it deserves special attention at this time.

5

Since no one answers, I’ll at least comment on my point of view. From what I read about the bug, no specific action by the developer is required, but by the network or service infrastructure administrator. However, the information must be known to all those affected by the failure in a business (in this case, until the president), who must demand immediate correction. In fact, in many cases it will be the developer himself to solve the problem, if he is the type of professional who wears several hats at work and has the necessary permissions.

– utluiz

2014/04/11 at 13:34
2

Best "visual explanation" for bug: http://xkcd.com/1354/

– Luiz Vieira

2014/04/11 at 14:25
1

Curiosity: Heartbleed can do not allow, in fact, access to private keys.

– Guilherme Agostinelli

2014/04/11 at 16:37
1

@Guilhermeagostinelli : depending on whether you use apache, ngix... In general, safely, it is better to sin for caution.

– woliveirajr

2014/04/11 at 18:43
Related: What should a website?, Is Stack Exchange safe from Heartbleed? and What versions of OS X are affected by Heartbleed?

– brasofilo

2014/04/12 at 09:31

2 answers

3

After bug fixing and revoking the compromised certificates I would require a mandatory password exchange of all users on first login. In this last part of the password exchange enter the developer’s work.

I am accepting that answer, because in fact it seems that’s all it is. If additional information arises, I review (but for the past time and the progression of events, I believe there will be no news...)

– mgibsonbr

2014/04/30 at 13:26

Browser other questions tagged security-guard openssl

You are not signed in. Login or sign up in order to post.

by Daniel Santos • **1,217** points · Answer 1 · 2014-04-11T17:19:18+00:00

2

The only action required is to test your (s) application(s) with the corrected version of the Openssl library to ensure that they work, so that webmasters and server administrators have no problems updating the library.

Most applications do not interact directly with Openssl, because it is something of lower level, but anyway it is a great recommendation! Good to expedite migration, avoid surprises...

– mgibsonbr

2014/04/30 at 13:28
1

Truth @mgibsonbr, usually they interact with the server and Runtime/vm that in turn interact with Openssl, so I prefer to consider the library exchange as a server/Runtime/vm update and act accordingly.

– Daniel Santos

2014/04/30 at 16:40