Heartbleed – Ruh Roh

Well, this is a huge ruh roh… for just about anyone on the internet (either server side or client side). There is a huge “implementation bug” in a bunch of currently deployed OpenSSL packages. There are numerous operatingscooby_doo_21 systems affected – CentOS, Red Hat, Oracle, Debian, Ubuntu, SuSE / OpenSuSE… and quite honestly, the more I read about this thing, the uglier it’s getting. They are calling this thing “Heartbleed” – a play on words for Heartbeat which is where the exploit originates from.

So, first off, you can’t just update OpenSSL and call it good. That’s not how this thing works. Secondly, just about anyone using a modern operating system as their web server is probably affected.

Here is where it gets icky… it’s not just you. In order to completely solve this thing and make sure people are not eavesdropping on your encrypted sessions, you’re probably going to need to revoke and rekey your SSL certs. Since this is, as I said, affecting everyone who uses OpenSSL is affected, and this includes CA’s (Godaddy, Comodo, etc…).

According to the bug report, it’s considered and “implementation bug”, or basically a programming mistake.

Anyway, it’s a huge issue, so you should probably figure out if you’re affected and start working on patching.

More info here: http://heartbleed.com/