Join David Gassner for an in-depth discussion in this video Fixing servers that use OpenSSL, part of Heartbleed Tactics for Small IT Shops.
- View Offline
To fix the Heartbleed bug on a server you need to upgrade to OpenSSL 1.0.1g or later. This process differs between operating systems, and you should check with the vendor that manages your operating system for specific instructions. For example, on Ubuntu, the easiest quick fix is to patch the operating system with the latest security upgrade using the command sudo apt-get dist-upgrade. After applying this patch, you would then reboot the server.
On other operating systems the steps can be more extensive. Again, check with your operating system vendor for details. If you're working in a hosted environment, check with your hosting provider. They should have detailed instructions and information for their environment. Another approach is to recompile your copy of OpenSSL. This process is only for those with programming and compilation experience. But, since its an open source product, the source code is available for download and you can re-compile any version of OpenSSL to remove the vulnerability.
The handshake that creates the issue can be removed completely with the compile-time option, -DOPENSSL_NO_HEARTBEATS. Whether you patch the operating system or recompile OpenSSL, these steps fix the server for current and future use. But you might not be finished. If your server was vulnerable in the first place, then some of its critical security assets, such as certificate keys and passwords, might have been compromised.
So the next step is dealing with those vulnerable assets. If you think your server's security certificates might have been compromised, and remember, there's no way to know for sure, you should get them re-issued. Check with your certificate authority and follow their recommended steps. If your site manages user credentials or other secondary keys, you might decide to ask your users to change them. Think about whether you want to ask for changes or insist on them. This depends in part on the sensitivity of the potentially compromised information.
User passwords are always a particular problem since so many users on the internet use the same passwords for multiple sites. Striking a balance between security and ease of use is a constant battle on the web. But again, this is a serious issue, and communicating that to your user base is important. And if you deal with credit cards directly, as opposed to outsourcing such details to a payments service provider, you need to contact your customers, and let them know that they're information might have been compromised, and perhaps contact banks and other payment services.
This is a big mess and no fun for anyone, but it needs to be dealt with. As I mentioned earlier, some organizations have gone to the extreme step of shutting down whole vital services until they've gotten these issues corrected. You'll need to decide whether such steps are necessary for your organization, based on the status of your servers and the sensitivity of the information you handle.