What Can I Do to Protect Myself from Heartbleed?
Server Administrators The real onus for addressing heartbleed falls on the shoulders of Apache system administrators. They need to upgrade OpenSSL to version 1.0.1g, revoke their SSL certificates, generate new SSL certificates and private keys, and get new certificates from their SSL vendor.
After they complete all of that, it's time to notify end users so they can change their login passwords.
End Users and Website Owners You guys are at the mercy of the site hosts, meaning the server administrators. Users can contact the companies they deal with online to find out what they're doing about heartbleed.
Make sure your Mac is set to recognize revoked certificates by setting Keychain Access to recognize revoked certificates. Here's how:
- Go to Applications > Utilities > Keychain Access
- Launch Keychain Access
- Go to the Keychain Access menu and choose Preferences
- Click the Certificates tab
- Set Online Certificate Status Protocol and Certificate Revocation List to Best Attempt
- Set Priority to OCSP
Keychain Access settings to watch for revoked certificates
This will tell every application that relies on your Mac's built-in keychain to avoid revoked certificates. That includes Safari and Mail, as well as many other applications.
Google Chrome has its own settings to monitor certificate validity, but they're off by default. To check for revoked certificates in Chrome, do this:
- Launch Chrome
- Go to the Chrome menu and choose Preferences
- Click Settings, then scroll to the bottom and clich Show advanced settings
- Click Check for server certificate revocation in the HTTPS/SSL section
Chrome's certificate revocation settings
Firefox checks for revoked certificates by default. If you want to double check to make sure that's what's happening, do this:
- Launch Firefox and go to Firefox > Preferences
- Choose the Advanced tab
- Select Certificates
- Click Validation
- Use the Online Certificate Status Protocol (OCSP) to confirm the current validity of certificates should be checked
Website owners should contact their service providers to find out if they are susceptible to heartbleed and whether or not new SSL certificates have been generated. If your site relies on your own SSL certificates, there's a good chance you'll need to generate new ones. Be sure to ask your site host.
Short version: Once your host updates OpenSSL, you and everyone else with logins to your WordPress site will be changing passwords.