Heartbleed: Don’t Rush to Change your Password unless Advised

heartbleedYou’ve probably heard about Heartbleed, the security vulnerability in a particular version of OpenSSL which was made public on Tuesday.  Security expert Bruce Schneier described it as “catastrophic

On the scale of 1 to 10, this is an 11.

The vulnerability allows an attacker to read up to 64k of memory from an affected system.  This could be user data, passwords, encryption keys or the security certificate of the server itself.  

The problem with Heartbleed is that there is no way to know whether an exposed system has been breached.  It’s possible that no one knew about the vulnerability before it was announced this week, but if they didn’t then, they do now.

Some media reports have warned users to change their passwords, normally a good practice, but in this case that’s a bad idea.  Graham Cluley explains:

You should only change your password in response to the Heartbleed bug after a website or internet company has:

  1. Checked to see if it is vulnerable
  2. Patched its systems
  3. Grabbed a new SSL certificate (having revoked their previous one)
  4. Told you it is fixed

It’s not enough to patch the server without revoking the old SSL certificate.  And if you rush to change your password now, it’s much more likely to be compromised now that the exploit has been publicised.

On the plus side, initial reports of the ubiquity of the vulnerability have proven to be of less concern.  While it is true that the vast majority of secure servers use OpenSSL, it appears that only about 500,000 had installed the vulnerable version or enabled the heartbeat functionality which contains the vulnerability.  This corresponds to about 17% of web servers.

There’s a strong chance that a service you use is not affected. If it is, it should be patched and a new certificate issued. Once that is done, users should be notified and advised to reset their passwords.

If you want to check for yourself, SSL Labs have provided a test which allows users to check the security status of any domain.

Over at the Blacknight blog, Alan confirms that Blacknight systems are patched and certificates reissued.


, , , , , , ,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.