blog.awill.me

blog.awill.me

22 Apr 2014

Company responses to Heartbleed

I haven’t posted in a really long time. These days I do shorter status updates through social networks, and haven’t felt the need for a long post like this one. You’ve probably all heard about the heartbleed OpenSSL bug by now. It’s a catastrophic bug that allows a hacked to steal usernames and passwords from an encrypted server.”

There have been reports that 2⁄3 of the entire web were affected. I highly doubt the number is that high. Maybe 2⁄3 of the web use OpenSSL, but it’s not that simple, as only certain versions of OpenSSL are affected. The affected version of OpenSSL are v1.01(a-f). That means, Ubuntu 12.04, Debian 7 and RHEL 6.5 are all affected (but not versions older than that). So, if by sheer luck (or laziness), your servers are out of date on patching, you wouldn’t be affected. What was interesting from my perspective, was not only seeing the response from tech companies, but also the response from affected Linux distributions. This is how you respond:

I haven’t posted in a really long time. These days I do shorter status updates through social networks, and haven’t felt the need for a long post like this one. You’ve probably all heard about the heartbleed OpenSSL bug by now. It’s a catastrophic bug that allows a hacked to steal usernames and passwords from an encrypted server.”

There have been reports that 2⁄3 of the entire web were affected. I highly doubt the number is that high. Maybe 2⁄3 of the web use OpenSSL, but it’s not that simple, as only certain versions of OpenSSL are affected. The affected version of OpenSSL are v1.01(a-f). That means, Ubuntu 12.04, Debian 7 and RHEL 6.5 are all affected (but not versions older than that). So, if by sheer luck (or laziness), your servers are out of date on patching, you wouldn’t be affected. What was interesting from my perspective, was not only seeing the response from tech companies, but also the response from affected Linux distributions. This is how you respond: It is extremely clear. It explains exactly what versions of OpenSSL and Red Hat’s products are affected.

I saw different reactions from web companies:

1- Google: “We were affected, but we’ve patched and rebooted everything. Your data is safe, though as a precaution, we’ve changed our SSL certificates, and recommend you change your password also.” This is really the best response. The latest stable version of OpenSSL was affected, so properly running/updated websites should have been affected. That means they were staying up to date. If your server was already up to date, it would be easier to patch (fewer changes).

2- Hover: “We were not affected by this vulnerability.” Reasonable response. Though I’d like to know why. Are you running Windows Server, or an old version of openSSL?

They waited more than a week to realize they were affected, and took even longer to patch. Healthcare.gov (and many other sites) took more than a week to figure out they were vulnerable.

To check if you’re vulnerable, you just need to check what version of OpenSSL you’re running. It’s really as simple as running this command on the server:

[root@server ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

3- No customer facing comment at all. Acceptable if you’re a small site and/or don’t store personal information or credentials, but not for the Facebooks and Googles.

Categories