Partner --> MacStrategy Tweets by @macstrategy

The Heartbleed Bug: Quick And Simple Information

by Graham Needham (BH) on 10th April 2014

When a computer or smartphone needs to talk securely to a server/web site it establishes a secure (encrypted) connection between it and the server/web site. To put it in simple terms, both ends (your computer/smartphone and the server/web site) use special security software (e.g. SSL) to create an ecrypted connection (e.g. TLS) between each other. The Heartbleed bug affects certain versions of the security software, specifically OpenSSL v1.0.1a to v1.0.1f. Older and newer versions of OpenSSL do not have the bug e.g. OpenSSL v1.0.1g. Mac OS X and iOS are not affected by this bug as they do not use an affected version of OpenSSL so if you run a server using OS X your server is not affected.

Specifically:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is not vulnerable
OpenSSL 1.0.0 branch is not vulnerable
OpenSSL 0.9.8 branch is not vulnerable
Mac OS X and iOS use the OpenSSL 0.9.8 branch so they are not vulnerable - Apple statement

What you should do immediately

If you use Mac OS X or a jailbroken version of iOS and you have installed a different/newer version of OpenSSL on your own computer or your server you may be affected. You should check that the version of OpenSSL that you have installed doesn't use the affected software.

OpenSSL advisory

If you use a computer or smartphone that does not have Mac OS X or iOS on it you should check that your operating system e.g. Windows, Linux, Ubuntu, Redhat, UNIX, Android, etc does not use the affected software.

Windows
Ubuntu
Redhat
Android
Linux/UNIX - run the command "openssl version" to see if you are running an affected version (see list above) - if you are update/upgrade to a non-affected version

If you have installed software that creates an encrypted connection between it and another computer on your own computer or your server you may be affected. You should check that the version of the installed software does not use the affected software. For example:

Off site backup software
Banking software
VPN clients e.g. OpenVPN, Tunnelblick

Cloud storage applications e.g. Dropbox, Microsoft OneDrive

If you or your company runs a server/web site you should check that both the server's operating system e.g. Windows, Linux, Ubuntu, Redhat, UNIX and the web server software installed on it e.g. Apache, IIS does not use the affected software.

Windows
Ubuntu
Redhat
Linux/UNIX - run the command "openssl version" to see if you are running an affected version (see list above) - if you are update/upgrade to a non-affected version
Apache
IIS
FileMaker Pro/Server/Advanced/Go 13 [earlier versions not affected]

The problem that is out of your hands

Whatever computer or smartphone you are using you will almost definitely be using it to connect to a server/web site out there on the internet. You have no control over that server/web site and that server/web site may be using software that is affected by this bug. The only thing you can do is check with that web site/company that they are not using software that is affected by this bug or if they are/were that they have upgraded/changed the software so that they are not affected by the bug. Over the coming hours/days/weeks most web sites will probably put a notice on their home page that they are either not affected or that they have fixed/upgraded their software. The key is if that web site/company does not post such a message then you should be wary of using that web site. There are already web sites that you can use to enter another web site's address (URL) and it will report if that site/server might be vulnerable:

http://filippo.io/Heartbleed/
https://www.ssllabs.com/ssltest/

The BBC has a small list of major web sites and whether they are/were vulnerable.
Mashable has a great list of major web sites and whether they are/were vulnerable.

What about changing all my passwords?

The problem with this right now is that if the server/web site uses vulnerable software changing your password now won't make any difference. You should only change your password once you know that the company/server/web site was affected by this bug and that they have upgraded/changed their software to fix the problem.

What if I use two factor authentication?

Some sites offer two factor authentication such as sending a code to your mobile phone or using a mobile app/security key generator device. As an attacker cannot get both parts of your login details these sites will be more safe than others. But if the web site was vulnerable an attacker may have still been able to get your username/password for that site so you should still change your password once you know if that site was vulnerable and has been updated.

What should I do?

We'll keep updating this blog post with more information/links as it becomes available so why not bookmark and keep revisiting?
Change your password at servers/web sites if they were affected by this bug and that they have now upgraded/changed their software to fix the problem.
Keep your software up-to-date. Make a list and go through all the applications you have purchased/downloaded - if that software makes a secure connection to another computer in some way check with the vendor of that software whether it is affected by the Heartbleed bug. If it is, don't use it until you have an updated version of the software that fixes the bug.
Continue to adhere to best computer/internet security practices (see our own security articles below).
Know more about the problem and affected software by reading up on the subject.

MacStrategy Security Articles

#1 - Physical
#2 - Software
#3 - Malware, Social Engineering and Scams
#4 - Securing Data
#5 - User Names and Passwords including Apple IDs
#6 - Networking/Internet/Online Shopping
#7 - Securing Older Mac Operating Systems
#8 - Apple's OS X Gatekeeper
#9 - For People Wearing Tinfoil Hats