The Heartbleed Bug: Quick And Simple Informationby Graham Needham (BH) on 10th April 2014
When a computer or smartphone needs to talk securely to a server/web site it establishes a secure (encrypted)
connection between it and the server/web site. To put it in simple terms, both ends (your computer/smartphone and the server/web
site) use special security software (e.g. SSL) to create an ecrypted connection (e.g. TLS) between each other. The
Heartbleed bug affects certain versions of the security software, specifically OpenSSL v1.0.1a to v1.0.1f. Older and
newer versions of OpenSSL do not have the bug e.g. OpenSSL v1.0.1g. Mac OS X and iOS are not affected by this bug as
they do not use an affected version of OpenSSL so if you run a server using OS X your server is not affected.
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is not vulnerable
- OpenSSL 1.0.0 branch is not vulnerable
- OpenSSL 0.9.8 branch is not vulnerable
- Mac OS X and iOS use the OpenSSL 0.9.8 branch so they are not vulnerable - Apple statement
What you should do immediately
- If you use Mac OS X or a jailbroken version of iOS and you have installed a different/newer version of OpenSSL on your own computer or your server you may be affected. You should check that the version of OpenSSL that you have installed doesn't use the affected software.
- If you use a computer or smartphone that does not have Mac OS X or iOS on it you should check that your operating system e.g. Windows, Linux, Ubuntu, Redhat, UNIX, Android, etc does not use the affected software.
- Linux/UNIX - run the command "openssl version" to see if you are running an affected version (see list above) - if you are update/upgrade to a non-affected version
- If you have installed software that creates an encrypted connection between it and another computer on your own computer or your server you may be affected. You should check that the version of the installed software does not use the affected software. For example:
- Off site backup software
- Banking software
- VPN clients e.g. OpenVPN, Tunnelblick
- Cloud storage applications e.g. Dropbox, Microsoft OneDrive
- If you or your company runs a server/web site you should check that both the server's operating system e.g. Windows, Linux, Ubuntu, Redhat, UNIX and the web server software installed on it e.g. Apache, IIS does not use the affected software.
The problem that is out of your hands
Whatever computer or smartphone you are using you will almost definitely be using it to connect to a server/web site out
there on the internet. You have no control over that server/web site and that server/web site may be using software that
is affected by this bug. The only thing you can do is check with that web site/company that they are not using software
that is affected by this bug or if they are/were that they have upgraded/changed the software so that they are not
affected by the bug. Over the coming hours/days/weeks most web sites will probably put a notice on their home page that
they are either not affected or that they have fixed/upgraded their software. The key is if that web site/company does
post such a message then you should be wary of using that web site. There are already web sites that you can use to
enter another web site's address (URL) and it will report if that site/server might
The BBC has a small list of major web sites
and whether they are/were vulnerable.
Mashable has a great list of major web sites
and whether they are/were vulnerable.
What about changing all my passwords?
The problem with this right now is that if the server/web site uses vulnerable software changing your password
won't make any difference. You should only change your password once you know that the company/server/web
site was affected by this bug and that they have upgraded/changed their software to fix the problem.
What if I use two factor authentication?
Some sites offer two factor authentication such as sending a code to your mobile phone or using a mobile app/security
key generator device. As an attacker cannot get both parts of your login details these sites will be more safe than
if the web site was vulnerable an attacker may have still been able to get your username/password for that site so
you should still change your password once you know if that site was vulnerable and has been updated.
What should I do?
- We'll keep updating this blog post with more information/links as it becomes available so why not bookmark and keep revisiting?
- Change your password at servers/web sites if they were affected by this bug and that they have now upgraded/changed their software to fix the problem.
- Keep your software up-to-date. Make a list and go through all the applications you have purchased/downloaded - if that software makes a secure connection to another computer in some way check with the vendor of that software whether it is affected by the Heartbleed bug. If it is, don't use it until you have an updated version of the software that fixes the bug.
- Continue to adhere to best computer/internet security practices (see our own security articles below).
- Know more about the problem and affected software by reading up on the subject.
MacStrategy Security Articles
#1 - Physical
#2 - Software
#3 - Malware, Social Engineering and Scams
#4 - Securing Data
#5 - User Names and Passwords including Apple IDs
#6 - Networking/Internet/Online Shopping
#7 - Securing Older Mac Operating Systems
#8 - Apple's OS X Gatekeeper
#9 - For People Wearing Tinfoil Hats
Blog Post Author = Graham Needham (BH)
Blog Post Created On = 10th April 2014
Blog Post Last Revised = 31st August 2017 17:32
Blog Post URL = http://www.macstrategy.com/blog_post.php?24
This blog post is representative of the blog author's individual opinions and as such any opinions that may be expressed here may not necessarily reflect the views of everyone at MacStrategy or the holding company Burning Helix Limited.See all blog postings for all countries