Heartbleed: after you've patched, what next?


A few customers have got in touch to ask what they should do after patching their servers against the heartbleed vulnerability.

This advice applies to servers that were running SSL-enabled services on a vulnerable Linux server (ask if you’re not sure; this is tedious advice to follow otherwise).

In brief, for those who had to patch their servers:

  • get your sites’ SSL certificate reissued and reinstalled with newly-generated keys;
  • consider forcing your users to change their password to raise their awareness of the problem, but
  • the burden falls on users to change all their passwords, not just those on your site.

It’s been shown that SSL encryption keys can be stolen from a vulnerable server. That means that anyone who intercepted your traffic could also decrypt it. SSL is meant to prevent that!

So I’d echo the advice to get your SSL certificates reissued and do not use the old keys, generate new ones!. Reputable certificate authorities let you request another cert with a different key without charge, and most are prominently encouraging their users to do exactly that (you’ll likely have an email from them already).

The “best practice” answer for your data is a simple one: assume that all data passed through your vulnerable server has been read, and by the worst possible people. So if you run a mail server, assume all your mail has been read, if you run a web service, assume all your users’ passwords have been sniffed and so on and so on. It has been reported that the US National Security Agency knew about this bug and exploited it almost as soon as it was inadvertently created.

But surely nobody would want to hack your site, your data? The problems with that wishful thinking are:

  1. intelligence agencies have very recently been shown to run indiscriminate “dragnet” operations on any sites that might prove useful them, and just to keep whatever they find “just in case”;
  2. the vulnerability was widespread, allowed access to passwords, and left no trace that it has been exploited, making it by far the cheapest and most obvious electronic intelligence-gathering technique available to those who knew about it;
  3. your users may share passwords between sites, and the Heartbleed makes it easy to grab passwords from recently logged-in users.

It’s likely that someone with early knowledge of this bug could have created a large database of user names and passwords from a wide variety of online services, including yours. That data will remain useful for months and years to come unless you work to invalidate it!

This isn’t a theoretical risk - some wag used Heartbleed to hack into parenting forum Mumsnet and post insulting messages puporting to be from the site’s founder. If internet trolls have the technology, you can’t predict who might be interested in your data.

But in the long run, the heaviest burden falls on each internet user, not site operators. Every internet user can assume they’ve had their network passwords read, and stored somewhere, and needs to “reboot” their digital identities. That’s passwords, VPN keys and everything else. Nothing you can do, as the operator of a single site, will ensure they are completely safe.

You might choose to force your users to change their password on your sites and services, even without evidence of compromise of your site. But that won’t give your users the assurance that they’re safe overall, just that your site won’t be compromised through their previous credentials!

Bytemark patched everything by lunch time following the announcement. We’re now following this advice by changing our own SSL keys this week. We will also be prompting (though not forcing) people to change their control panel passwords once we have made sure the new certificates have been pushed round.

I’m happy to address any questions you might have here, whether on Bytemark’s response or what yours should be.

Our response to the OpenSSL 'heartbleed' vulnerability