I see in the news about the “Heartbleed” security bug. As an end user, do I need to do anything about it?
-
1It shows a lack of research the problem is with OpenSSL which is server side clearly.– RamhoundCommented Apr 8, 2014 at 19:26
-
4@Ramhound Could you provide a reference for that? Client applications can link to the OpenSSL library to provide SSL/TLS related functionality (see e.g. this). Also, from heartbleed.com (bold highlight mine): "When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server."– Daniel Beck ♦Commented Apr 8, 2014 at 20:28
-
@DanielBeck, Ramhound downvoted the question. Anyone can add a “no” answer. (I haven't even selected an answer, yet.)– danortonCommented Apr 8, 2014 at 20:31
-
While the leak can happen on both ends a malicious hacker isn't going to attack the client side. I stand by my statement about the lack of research though. Furthermore Apache was the target from what I read– RamhoundCommented Apr 8, 2014 at 21:06
-
1@Ramhound you read wrong. anything that links against OpenSSL is the target. now, that includes Apache. but it is by no means limited to Apache. and besides, I still don't understand how you think this isn't properly researched. besides, you've just fallen prey to one of the minor dumbs of the 6 Dumbest Ideas in Computer Security - "we're not a target" isn't an argument.– strugeeCommented Apr 9, 2014 at 7:04
|
Show 1 more comment
3 Answers
Yes!
- Know and let others know that all information might have been revealed that was encrypted only by HTTPS for many web servers around the world.
- You should contact your service providers and confirm that they have plans or have already taken the necessary steps to correct the vulnerability (presuming they were susceptible to it). This especially includes banks, financial institutions and other services that hold your most valuable and sensitive information. Until they have confirmed that they have applied the corrections, the information that they make available to you via HTTPS remains vulnerable.
- Your service providers might disable your previous passwords or otherwise require you to change them, but, if they don’t, change your passwords after they have applied the corrections.
You can find basic information at http://heartbleed.com/
More technical information is available from:
For those who aren’t end users, see this question on serverfault:
-
As a linux end user, I have OpenSSH 1.0.1e installed in my laptop (Debian Wheezy). Do I still have nothing to worry about?– user146393Commented Apr 9, 2014 at 6:19
-
@StaceyAnne OpenSSH isn't affected, OpenSSL is. was that a typo?– strugeeCommented Apr 9, 2014 at 7:02
-
yep, it was a typo.– user146393Commented Apr 9, 2014 at 7:22
-
You should contact your service providers and confirm that they have plans or have already taken the necessary steps to correct the vulnerabilityI assume by service providers you mean the websites and not ISPs right?– SynetechCommented Apr 10, 2014 at 17:28 -
@Synetech, goog point, but the wording is awkward. You can't contact a "website". I wonder what better term might go there.– danortonCommented Apr 12, 2014 at 21:00
As a Linux user, I had OpenSSL 1.0.1e installed on my Debian 7.0 (wheezy) install.
To fix it, I did this:
apt-get update
apt-get upgrade openssl
This re-installs OpenSSL and replaces it with 1.0.1e-2, the fixed OpenSSL for Debian Wheezy.
The major issue is really on the server side, but it is a good idea to upgrade your client OpenSSL if it's installed, just to be sure. See Debian Security Advisory, DSA-2896-1 openssl -- security update for further information.
You should also upgrade your TLS/SSL clients that use OpenSSL as soon as fixed version is available. Particularly FTPS (FTP over TLS/SSL) clients.
Fortunately an exploit of the vulnerability in clients is less probable than in servers.
See also:
answered Apr 9, 2014 at 17:36
-
And people balked when I said I still use Outlook Express 6. Who’s laughing now?
:-P– SynetechCommented Apr 10, 2014 at 17:30