Wednesday, April 9, 2014

Heartbleed

What is Heartbleed?
Heart is a serious vulnerability discovered in OpenSSL (a cryptographic software library used by most devices to implement SSL and TLS code).

What does it do?
The Heartbleed bug exposes up to 64k memory of the server it is running on allowing an attacker to read the memory of the system.  This enables anyone on the Internet to find things like private keys, passwords, bank account information, etc.

Where did it come from?
Heartbleed was introduced by a new feature added to TLS called the Heartbeat Extension which adds the capability to keep TLS connections alive without continuous data transfer.

What servers does this affect?
Mostly Apache servers, or any other devices that use OpenSSL libraries versions 1.01 and 1.0.2-beta.

Does it affect Windows Servers?
It does not affect Microsoft’s IIS (Internet Information Services) or Exchange Server.  It would affect apache on windows using OpenSSL.

How do I know if a server is affected?
Test it!  http://filippo.io/Heartbleed/

If I have an affected server, what do I do about it?

Patch it, version 1.0.1g resolves the issue.  You should also re-key your SSL certificate.