What can I do about the Heartbleed bug?

Anonymous April 9, 2014

What can I do about the Heartbleed bug to ensure my security? Is it relevant that I use OpenOffice from Apache?

  1. Ryan D
    April 13, 2014 at 7:12 am

    If you have control over any web server that's using OpenSSL, get and install latest 1.0.1e of OpenSSL: http://www.openssl.org/source/

    Or as Jeff mentions (and the OpenSSL security advisory mentions) - "Users unable to immediately
    upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS."

    If you are not in control of any server, then all you can do is encourage any services or sites you use to please upgrade their OpenSSL ASAP to protect your privacy and security. I wouldn't rush to change any passwords until you're sure they have upgraded already.

  2. Howard B
    April 9, 2014 at 9:28 pm

    The only way to protect yourself is to not use a site that uses OpenSSL versions from 1.0.1 to 1.0.1f, which are the versions of OpenSSL that had the Heartbleed bug; earlier versions, and the new version 1.0.1g, do not have the vulnerability. It has nothing to do with your PC, your web browser, your version of OpenOffice, or anything at all on your PC - the problem is entirely contained on websites that use OpenSSL for its SSL/TLS security.
    You can enter a site's URL on http://filippo.io/Heartbleed/ to see if the site is vulnerable; if it's a site you use for anything important (banking, e-commerce, etc.) notify them they need to fix it!

    • Anonymous
      April 10, 2014 at 3:01 am

      Thank you I understand now -just panicking!

  3. Jan F
    April 9, 2014 at 4:31 pm

    From a user perspective make sure to (always) have all the latest updates installed (OS, software, apps).
    For the next couple of days be careful on public WiFis or prevent using them at all. And as Jeff quoted, change passwords for sensitive information and services as a precaution.

    From an administrative perspective this question seems redundant. You should know where you are using OpenSSL and therefor know which system might be at risk, analyze if they are effected and try to fix it.

  4. dragonmouth
    April 9, 2014 at 12:34 pm

    Jeff F,
    The Test Site link returns a "Page Not Found" error.

  5. Jeff F
    April 9, 2014 at 7:34 am

    Researchers have pushed out a fix for this security flaw. The Only way to protect yourself is to upgrade to fixed version of OpenSSL or to recompile OpenSSL with the handshake removed from the code. Administrators have to install the fix as it becomes available for their operating systems, networked appliances and software they use. Most Linux hosts should have a stable security patch for this flaw by now. You may test whether your OpenSSL version is effected or not by going to this test site.

    According to openssl.org changelog this exploit was patched on the fifth of April on at least Linux hosts. Keep your kernel and libs up-to-date. If you want to be certain that your server(s) are not effected, you can optionally recompile OpenSSL with the handshake process removed fairly easy. You can do this using the target output switch -DOPENSSL_NO_HEARTBEATS in your compiler.

    "People should change their passwords for sensitive sites to be on the safe side" - Zully Ramzan

    OpenSSL vulnerabilities - CVE-2014-0160: 7th April 2014 (heartbeat extension) official security advisory
    OpenSSL Security Advisory [07 Apr 2014]

    • Anonymous
      April 10, 2014 at 2:59 am

      Thank you

Ads by Google