What is the Heartbleed vulnerability and how does it affect me?
Google Security and Codenomicon – a Finnish security company, have recently discovered a vulnerability within the Open SSL cryptographic library which is used to handle secure HTTPS communications for around 66% of websites and companies on the internet. This has been named the Heartbleed bug and has been given a bug reference number of CVE-2014-0160 in the common vulnerabilities and exposures list. Actions are being co-ordinated globally to respond to this vulnerability.
While only recently found, this bug appears to have been in existence since December 2011 and allows an attacker to read the memory of any system using a vulnerable version of Open SSL. This could potentially contain Private keys, usernames, passwords, emails, or any other information that may be transmitted.
Attacks of this nature do not leave a trace, so no-one can be sure if this exploit has already been used for malicious purposes. For this reason, advice has to be provided from a “worst case” scenario under the assumption that attacks have been carried out, even though the likelihood of this is low.
Where can I find more information?
More information regarding this vulnerability can be found on a number of websites; examples being:
What should I do?
I have my own SSL Certificate on a dedicated or virtual server
Our article What is the Open SSL Heartbleed bug and how do I make it secure? shows you how to check to see if your server is vulnerable, how to patch it, and how to re-issue a new certificate.
My website uses shared SSL
You should check that your hosting provider has patched their SSL Library and has re-issued their SSL certificates.
Note: All Fasthosts Shared SSL space has been patched and certificates have been re-issued.
I log into websites that use SSL to secure my communications
It is always good practice to change your passwords on a regular basis. While the likelihood of details being leaked is low, you should consider updating any important website passwords.
Fasthosts Control Panel Update
To simplify processes you can now revoke old SSL certificates through your control panel once you have re-issued a certificate.
Our guide to Revoking SSL Certificates shows you how to do this.
If you haven’t already re-issued your SSL certificate following the Heartbleed bug, we recommend you do so. This can also be done through your control panel as outlined in this guide How do I re-issue an SSL certificate?