mamahadija — 2014-04-18T05:09:57-04:00 — #1
there has been much news about heartbeat vulnerability in open ssl
how do web designers like me protect our client websites from this security gap
mittineague — 2014-04-18T05:21:13-04:00 — #2
Hi @mamahadija; welcome to the forums.
I'm confused. As a designer do you think it's your responsibilty to protect your clients from security threats?
mamahadija — 2014-04-18T05:36:59-04:00 — #3
so can u tell your client that if they ask you what this heartbeat means to the security of their website
the overal responsibility of managing a site for a client if you are a freelancer rests with the designer/developer
so i think this is an issue we should look into
wolfshade — 2014-04-18T08:50:24-04:00 — #4
While it is true that the developer does have to keep certain things in mind regarding security (like using parameterized queries, and the like), the OpenSSL "HeartBleed" issue is an encryption certification issue, fixed by the SA recompiling the kernel with the patched OpenSSL in place.
What does this mean for users?
It means that any website you've been to in the last two years that is running the unpatched version of OpenSSL for encryption is a possible information leak to hackers who know how to exploit it.
I'm sure there are instructions, somewhere, that can teach the user how to tell if they are on a site that uses OpenSSL, I just haven't read them. Otherwise, I'd paste the instructions here.
felgall — 2014-04-18T17:51:37-04:00 — #5
Any openSSL security certificate used in the past two years while encrypting the data sent from the client to the server and back has had a back door available to allow that data to be decrypted and read just as if it were not encrypted in the first place.
Far more importantly those certificates can be modified and reused on other sites so that even if the data stays encrypted, the server at the other end is not necessarily the one you think it is.
To fix this the sites with these certificates need to:
- Replace the affected certificate with a new one that has the security hole fixed.
- Cancel the old certificate to ensure that it cannot be misused.
- Force a password reset on all their users so that any passwords exposed by the bug are changed.
Most sites affected are carrying out step 1 but only a few are currently doing step 2 and until they do all three steps in that order their site remains exposed.
scallioxtx — 2014-04-18T18:04:44-04:00 — #6
It's not the certificates that are the problem, it's the OpenSSL software running on the server that's providing SSL access.
So in your list you have to add a step 0: patch OpenSSL and rebuild Apache/NGiNX
Once that's done, get a new certificate, revoke the old one, log out all users, and have them change their password
If you only change your certificate you're still as vulnerable as you were before, but with a different certificate.
Also see http://www.digitaltrends.com/computing/the-heartbleed-bug-explained-by-a-web-comic-xkcd/#!EPssm
felgall — 2014-04-18T18:38:09-04:00 — #7
Apparently the certificates are also a problem if they weregenerated using the version of open SSL with the security hole. plugging openSSL doesn't fix the security issues with the certificate.
Agreed. I forgot that step (I suppose I was assuming that all affected copies had been updated already) - there are actually four steps that ALL need to be carried out - not three.