JOIN OUR AFFILIATE NETWORK

Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
Menu
picture of tbs certificates
picture of tbs certificates
 
Certificates
Our products range
Partners
Support
Focus


20140408 - Heartbleed security weakness announcement - OpenSSL 1.0.1

Revealed yesterday, Heartbleed is a serious vulnerability of OpenSSL library.

It allows anybody to access, from the internet, information stored on an OpenSSL-equiped server and makes any private key used on a server (apache, nginx, postfix, etc.) vulnerable.

Last but not least, there is absolutely no way to know if you have been the victim of such an attack since the vulnerability allows hackers to access your information without leaving any trace.

Potential consequences

The private key linked to your SSL certificate is the base of your web tools, using SSL/TLS, security. Should this key be stolen, it could be used on a pirate website using your corporate identity.

Then webusers cannot know for sure if they are on a trusted website anymore, the certificate being a genuine one.

To put it in a nutshell : a perfect MITM (Man In The Middle) attack.

Status of OpenSSL versions

  • OpenSSL versions 1.0.1 à 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

Bug appeared with OpenSSL 1.0.1 release in march 2012. The vulnerable versions have been used for over two years now and they have been rapidly adopted by modern operating systems.

OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

Operating System distributions that have shipped with potentially vulnerable OpenSSL version

This is not an exhaustive list!

  • Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
  • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
  • CentOS 6.5, OpenSSL 1.0.1e-15
  • Fedora 18, OpenSSL 1.0.1e-4
  • OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
  • FreeBSD 10.0 (OpenSSL 1.0.1e 11 Feb 2013)
  • NetBSD 5.0.2 (OpenSSL 1.0.1e)
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)
  • Red Hat Enterprise Linux 6.5, Red Hat Enterprise Virtualization Hypervisor 6.5 and Red Hat Storage 2.1 (OpenSSL 1.0.1e)

Non-impacted OS

  • Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
  • SUSE Linux Enterprise Server
  • FreeBSD 8.4 (OpenSSL 0.9.8y 5 Feb 2013)
  • FreeBSD 9.2 (OpenSSL 0.9.8y 5 Feb 2013)
  • FreeBSD Ports (OpenSSL 1.0.1g at 7 Apr 21:46:40 2014 UTC)

What do I need to do?

First, you need to know whether you are impacted or not.
If so, follow the 3-steps procedure described below:

  1. Update your server OS to get the OpenSSl corrected version (then reboot)

  2. Request a free reissuance of your SSL certificate
    • 2.1. Generate a new private key and a new CSR
    • 2.2. Use our revocation form and check the "revoke" box

  3. After the installation on the server and if you did not ask for your certificate to be revoked, request an IMMEDIATE REVOCATION via your status page

Security strengthening / security strategy

If your server has suffered from this vulnerability, you may have to define a security strategy. Indeed, even if it was for a short period of time, your server and the reserved accesses (login / password authentication) may have been victims of Man In The Middle attack. Meaning that users, believing to be on an official server, have enter their login information. If a hacker intercepted it, he can then access those users private areas. It may be useful, after your server update and the former certificates' revocation, to schedule a modification of the secured services' access codes and to set up connection alerts.

Further information

Useful links