THE BLOG
04/16/2014 10:47 am ET Updated Jun 16, 2014

OpenSSL Vulnerability Hits the Web Unexpectedly

Monday, 7th of April is a day that many technology people are going to remember, probably for life. It's the day when a bug dubbed "The Heartbleed Bug" was revealed to the masses.

Two thirds of all of the websites in the world use OpenSSL, this vulnerability would enable hackers (or anyone else for that matter) to exploit the cryptographic library and use that as a way of stealing information trough the SSL/TLS gateways.

2014-04-08-HeartbleedBug.png

In easy to understand terms, hackers could 'farm' digital fingerprints of your server, and then use those fingerprints to access sensitive data that has been transmitted in the past.

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

[from the official OpenSSL statement.]

I've already written a little guide on how to fix this, but I feel that there is the need to continue spreading the word; until we can rest assured that majority of the web knows about this bug.

1. You should head over to "Heartbleed test" and see whether your page is affected by this or not. If it is, you'll need to update your server in order to solve the problem. If not, you can move on, and instead try helping others to get it fixed.

For those who're unable to SSH into their servers, should immediately contact their hosting providers to make sure that the servers are being secured and everything is being taken care of.

2. If you're indeed exposed to this bug, log inside of your server, and execute the two following commands,

sudo apt-get update
sudo apt-get upgrade

you can see the official Ubuntu security notice here.

It's important that you restart your server afterwards, so that there is no connection between the new version and the older one. When that is all done, head over to the page where you can check your website for the vulnerability, and see whether the issue has been fixed now.

3. Those who use other Linux distributions should turn to their appropriate communities for help and advice.

You can see technical details on the National Vulnerability Database.

Question to You!

How did you find out about this vulnerability, and what was your initial reaction? How have you been coping with this, and have you told your friends to patch their servers?