This week a vulnerability dubbed “Heartbleed” was found in the popular OpenSSL cryptographic software library (http://heartbleed.com). OpenSSL is widely used, often with applications and web servers like Apache and Nginx. OpenSSL versions 1.0.1 through 1.0.1f contain this vulnerability, which attackers can exploit to read the memory of the systems. Gaining access to the memory could provide attackers with secret keys, allowing them to decrypt and eavesdrop on SSL encrypted communications and impersonate service providers. Data in memory may also contain sensitive information including usernames and passwords.
Heartbleed is not a vulnerability with SSL/TLS, but rather a software bug in the OpenSSL heartbeat implementation. SSL/TLS is not broken; it is still the gold standard for encrypting data in transit on the Internet. However, due to the popularity of OpenSSL, approximately 66% of the Internet or two-thirds of web servers (according to Netcraft Web server report ) could be using this software. Companies using OpenSSL should update to the latest fixed version of the software (1.0.1g) or recompile OpenSSL without the heartbeat extension as soon as possible.
As the world’s leading Certification Authority, Symantec has already taken steps to strengthen our systems. Our roots are not at risk; however, we are following best practices and have re-keyed all certificates on web servers that have the affected versions of OpenSSL.
After companies have updated or recompiled their systems, Symantec is recommending that customers replace all their certificates -regardless of issuer- on their web servers to mitigate the risks of security breach. Symantec will be offering free replacement certificates for all our customers.
Finally, Symantec is asking customers to reset passwords to their SSL and code-signing management consoles. Again, this is a best practice and we encourage companies to ask their end customers to do the same after their systems have applied the fix. We will continue to work with our customers to minimize the impact of security risks from this vulnerability.
For your convenience, here is a summary of steps to take:
For businesses:
- Anyone using OpenSSL 1.0.1 through 1.0.1f should update to the latest fixed version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension.
- Businesses should also replace the certificate on their web server after moving to a fixed version of OpenSSL.
- Finally, and as a best practice, businesses should also consider resetting end-user passwords that may have been visible in a compromised server memory.
For consumers:
- Should be aware their data could have been seen by a third party if they used a vulnerable service provider.
- Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated to customers that they should change their passwords, users should do so.
- Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain.