Palante Tech Coop has been tracking the Heartbleed bug since it was publicly announced in early April 2014. Read below for tips on how to protect your organizational and personal data and find out about steps Palante's taken to protect our clients.
Since there's a lot of possibly initimidating text below this, here's a handy jump menu that will let you skip down to the section that's most relevant to you:
- Change your passwords!
- Make sure your web browsers check for revoked certificates
- Update your web servers
- Revoke, reissue and rekey your SSL certificates
Palante echoes the advice you've probably heard from many sources already: change your passwords! Because so many sites and services were affected, the safest thing to do is to reset your password for every website and internet service after making sure that it is no longer vulnerable to the bug. This includes your password for Palante's ticketing system, https://hq.palantetech.coop.
We recommend changing all online passwords for maximum security. If you feel like you can't change them all, start with your most important or sensitive passwords first! That might mean your email accounts, banking and other financial accounts, or anything else that's particularly private, valuable or important to you.
To check whether a site is or ever was vulnerable you can use the lists compiled by Mashable and CNET. You can also use an online testing tool like http://filippo.io/Heartbleed/, but an all clear from that tool is not an absolute guarantee that the website or other service is now completely safe. In addition to passwords, the private encryption keys used to protect HTTPS traffic were also potentially exposed by the Heartbleed bug; those keys could be used to decrypt past or future encrypted data or to convincingly impersonate a legitimate site for malicious purposes. In order to guarantee that a service is safe, the operator must not only fix the bug in the OpenSSL software, but they must also change the certificate and private encryption key used to protect HTTPS traffic.
Therefore, a conclusive "yes, we've fixed both things" from the people running a given internet service is the only way to know that it is now totally safe. You can find out whether a service has confirmed that they've fixed both things by looking on a service or company's website, contacting their customer support, or seeing what's being reported about them on lists like the ones from Mashable or CNET.
As to why it's recommended that you change all of your online passwords: it may seem obvious that you should reset all passwords submitted to websites using SSL (with "https://" at the beginning of the URL), those aren't the only passwords that are vulnerable. A number of Internet services besides websites use OpenSSL, including email, instant messaging services, and VPNs. Additionally, various hardware and devices had the vulnerable version of OpenSSL built into them, including various routers, other networking devices, and Android devices running version 4.1.1 of the Android operating system. Because the vulnerability is so widespread, and because it allows attackers to harvest so much information from the memory of affected servers and devices, resetting all passwords that you use anywhere online--websites, email, instant messaging, so on and so forth--is probably your best bet.
As mentioned above and discussed more thoroughly below, Heartbleed made the SSL certificates used to encrypt data on websites that use HTTPS vulnerable. As a result, sites that use the certificates are likely to revoke their old, possibly compromised ones and reissue new ones. However, some web browsers aren't set by default to check whether a certificate you've already used by going to an HTTPS-enabled site in the past has been revoked since you last visited. The danger there is that malicious sites can use revoked certificates to impersonate legitimate sites you're trying to visit, tricking you into giving them your private information such as passwords and financial info. As the excellent Heartbleed writeup by the Progressive Technology Project suggests:
Check your browsers settings for how it deals with “revoked” certificates. Most browsers (Opera and Internet Explorer are exceptions) do NOT check for revocation or reject revoked certificates by default. You have to change the settings. Search the Internet for instructions on how to do this for your favorite browser. If your browser still accepts the old, possibly exploited, certificate, you could continue to be exposed to a misdirecting attack.
You can test how your own browsers behave by visiting https://www.cloudflarechallenge.com/heartbleed, a special page that CloudFlare set up for testing. That page is deliberately using a revoked SSL certificate, so however your browser reacts to loading that page will tell you how it will react when you visit any site that is using a revoked certificate.
From what I've gathered from my own research and by reading this great summary from the CloudFlare blog, by default Firefox flat out denies access to sites using revoked certificates; Safari and Internet Explorer issue warnings but let you proceed despite the revoked certificates (suggestion: don't proceed!), and in Chrome you need to enable certificate revocation checks yourself. Here's another list I found on a security forum where people are testing their own browsers and posting the results.
Don't forget about the web browsers you use on your smartphones and other devices! I tested the Firefox browser on my Android phone using the CloudFlare test and was happy to see that it caught the revoked certificate. However, the default Android Browser did NOT block access to the page and I can't find a way to fix that, so I won't use the default Android Browser to visit any sensitive sites.
If you have a website or a web application like CiviCRM, you should make sure that your web host has fixed the Heartbleed OpenSSL bug on their server. You can use this Heartbleed test tool to check whether your site or web app is still vulnerable by entering your URL for testing.
Palante has already checked the web servers for all clients who receive ongoing Drupal, WordPress, CiviCRM or VPS maintenance and have made sure that fixes have been applied to all vulnerable servers. If Palante doesn't provide ongoing website or CiviCRM maintenance for your organization, you should check with your web host to make sure that they've applied the needed fix.
Many websites use HTTPS and an SSL certificate to encrypt sensitive data, like credit card information submitted to a store or donation system. SSL certificates on vulnerable servers may have been compromised in two serious ways: if someone obtained your certificate's secret key, they could decrypt all past and future encrypted data passed through your server, and they could also impersonate your website to trick people into handing over sensitive data. This sort of compromise is difficult to achieve, but not impossible--it's happened to a few sites already. Therefore, the safest thing to do if you use an SSL certificate on a server that was once vulnerable is to follow the steps below:
- If your server uses OpenSSL you'll need to make sure it's not using a vulnerable version of the software. You can use tools like the Heartbleed test to see whether your server is currently vulnerable to the bug; if it is, you'll need to make sure it's fixed ASAP. If you maintain your own server you'll need to apply the updates yourself; if your web hosting company manages your server, they should apply the updates for you.
- After the OpenSSL software is fixed you'll need to to generate a new SSL/TLS key, get a new SSL certificate for the key, and start using them on your site. You'll also need to revoke the certificate you were previously using, since there's a chance an attacker got both your old key and your old certificate from your vulnerable server and could therefore impersonate your site and trick users into thinking it's legitimate.
- You should then ask your users to change the passwords they use to log into your site.
If you're a Palante client and need help generating new SSL/TLS keys, getting a new SSL certificate, installing the new key and certificate on your site, and revoking your old certificate, let us know and we'll help you out as soon as we can! You may also want to try contacting your web host or your certificate provider to see what help they can offer you if you'd like to take care of it yourself. We hope this information is useful as you and your organizations figure out how to deal with Heartbleed!
- Information on Heartbleed from the Progressive Technology Project and May First/People Link
- CNET's Heartbleed FAQ
- A very thorough yet accessible technical breakdown of the Heartbleed bug
- The CloudFlare test to see if your browser properly checks for revoked certificates: https://www.cloudflarechallenge.com/heartbleed
- An easy-to-use test to see if a website or server is still running a vulnerable version of OpenSSL: https://filippo.io/Heartbleed/