Heartbleed affects the OpenSSL security system used to protect many global websites, potentially enabling an attacker to steal website encryption keys. Possessing these keys allows attackers to impersonate website administrators, and steal both current and previous traffic passing through the site.
Using the keys, attackers can capture user passwords, financial details, emails and secret documents. The vulnerability existed for two years before being discovered.
Heartbleed is believed to be the most serious vulnerability in SSL security systems to be uncovered, and it poses an immediate risk to companies using affected versions of OpenSSL on their websites, and consumers that have used those websites. Below are a series of actions to help businesses and consumers establish if this vulnerability affects them.
Clavister's products are not affected by this vulnerability, as we do not use OpenSSL for handling any type of SSL traffic.
For businesses:
- Any business using OpenSSL 1.0.1 through to 1.0.1f should update to the latest fixed version of the software (1.0.1g), or recompile OpenSSL without the affected 'heartbeat' extension.
- After moving to an unaffected version of OpenSSL, it's possible that your web server certificates may have been compromised or stolen as a result of exploitation. Contact the certificate authority for a replacement certificate.
- Businesses should also consider resetting end-user passwords that may have been visible in a compromised server's memory.
For consumers:
- This Mashable article gives a useful guide to which popular websites and services may have been affected, and gives the website's recommended advice on whether you need to change your password.
- Avoid potential phishing emails from attackers asking you to update your password - and avoid clicking on links in emails asking you to change passwords. Only visit the official website to change passwords.