Dealing with Heartbleed: What You Need to Know

| Analysis

How Do I Know if My Servers are Affected?

As a users, you probably won't have direct access to the version number for OpenSSL running on the servers you connect to. For that, you'll have to rely on the server host to tell you whether or not they're susceptible to heartbleed. You can also check out the Github list of known heartbleed-susceptible domains.

If you're in charge of an Apache server, you can check your OpenSSL version by running this command:

openssl version

This only tells you which version of OpenSSL you're running. Spoiler: If it's earlier than 1.0.1g, you have a problem. Also, there isn't a way to tell if your SSL keys have been taken, so you should assume they have.

Which Versions of OpenSSL are Susceptible to Heartbleed?

The code bug that makes heartbleed possible was introduced in March 2012, and wasn't patched until April 7, 2014. That leaves two years for hackers to potentially take exploit the flaw.

  • OpenSSL versions 1.0.1 through 1.0.1f are vulnerable
  • OpenSSL 0.9.8 and 1.0.0 branches are not vulnerable

OpenSSL 1.0.1g, released on April 7, patches the flaw and is already being deployed on Apache servers.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

Bosco (Brad Hutchings)

It’s a good thing that Google’s known strategy of selling out their customers gave them the incentive to identify this problem!

gnasher729

Has anyone ever claimed that Google is selling out their customers? The problem is that end users are not Google’s customer, but the product.

Lee Dronick

How does iOS 7 deal with the certificates? Do we need to do anything on those devices to protect ourselves?

John Dingler, artist

Hi Jeff,
Safari user. Thanks.

John Dingler, artist

By the way, thanks for this clear step-by-step instruction. But I am sure that committed trespassers will figure out ways to skirt the roadblock to their shenanigans.

Paul Goodwin

Just for my education, in the vulnerable/not vulnerable site list, what does it mean when it says “No SSL”? It was obvious that it wasn’t vulnerable. Do they have their own encryption technology?

Macfox

Thanks Jeff for this update. I’m checking my browsers now. This is just one of the great reasons for TMO: you are all great!

wab95

Jeff:

Just wanted to say thank you for posting this excellent analysis of what heartbeat and Heartbleed are, are not, and what we can do about it. I’ve taken the liberty of sharing this page with a number of friends and family who’ve been sending me both articles on the phenomenon (some not so well informed or accurate) as well as requests for how to respond to it.

Knowledge is a powerful antidote to fear.

Bart B

Great article Jeff - it’s not at all easy to explain this stuff in a way that’s clear to regular folks, while still being accurate. The line between over simplification and information overload can be very hard to find, but I think this is pretty darn close to perfect smile

Log-in to comment