Home Gudgeon and gist Freedom to Tinker How to protect yourself from Heartbleed

How to protect yourself from Heartbleed

Freedom to Tinker 2014-04-10

The Heartbleed vulnerability is one of the worst Internet security problems we have seen. I’ll be writing more about what we can learn from Heartbleed and the response to it.

For now, here is a quick checklist of what you can do to protect yourself.

If you are a regular user:

Most of the sites you use were probably vulnerable. Your password might have been leaked from any one of them. Unless you’re sure that a site was never vulnerable, you should change your password on that site. (It’s not enough that a site is invulnerable now, because your password could have leaked before the site was fixed.)

Yes, it’s a pain to change your passwords, but you were really meaning to change them at some point anyway, weren’t you? Now is a good time. (It’s also a good time to turn on two-factor authentication, on sites that offer it.)

But, before you change your password on a site, you need to make sure that that site has closed any remaining vulnerability. Look for an unequivocal statement from the site that (1) they are no longer vulnerable and (2) they have changed the private encryption key they use to protect HTTPS traffic. Once you’re sure that they have done those two things, then you should go ahead and change your password on the site. If they haven’t done those two things, then it’s best to wait until they do. Make yourself a note to come back and check in a few days.

The bad news is that some of your private information might have leaked from a vulnerable site. It will be very difficult to tell whether this happened, even for the site itself, and nearly impossible to undo a leak if it did happen.

If you run a website that supports HTTPS, and you run your own server:

  • Go to http://filippo.io/Heartbleed/ and enter the name of your site, to test whether your site is vulnerable. If you’re not vulnerable, you’re done. If you are vulnerable, carry out the following steps.
  • Upgrade your server software to a non-vulnerable version. I can’t give you general advice on how to do this because it depends on which software you are running. Once you have done the upgrade, go back to http://filippo.io/Heartbleed/ and verify that you are no longer vulnerable.
  • After upgrading your software, generate a new SSL/TLS key and get a certificate for the new key. Start using the new key and certificate. (This is necessary because an attacker could have gotten your old key.)
  • Revoke the certificate you were previously using. (This is necessary because an attacker who got your old key could be using your old key and certificate to impersonate your site.)
  • Have your users change the passwords that they use to log in to your site. (This is necessary because users’ existing passwords could have been leaked. You need to get your house in order by carrying out the previous steps, before users can safely change passwords.)

If you run a website that supports HTTPS, and you use a web hosting service: In this case, the hosting service runs the web server that powers your site.

  • Find out from the hosting service whether its server was ever vulnerable to Heartbleed attacks. If you’re confident that it was never vulnerable, then you’re good. Otherwise, carry out the following steps.
  • Wait until the hosting service has upgraded its software to a non-vulnerable version. Once they have done the upgrade, you should be able to go to http://filippo.io/Heartbleed/ and enter the address of your site, and be told that it is not vulnerable. If this isn’t true yet, ask the hosting service to fix the problem, then wait a while and repeat.
  • Once the hosting service has upgraded its software and the test site shows you as not vulnerable, generate a new SSL/TLS key and get a certificate for the new key. Start using the new key and certificate. (This is necessary because an attacker could have gotten your old key.)
  • Revoke the certificate you were previously using. (This is necessary because an attacker who got your old key could be using your old key and certificate to impersonate your site.)
  • If your site assigns passwords to users, have your users change the passwords that they use to log in to your site. (This is necessary because users’ existing passwords could have been leaked. You need to get your house in order by carrying out the previous steps, before users can safely change passwords.)