Dealing with Heartbleed: What You Need to Know

| Analysis

What Can I Do to Protect Myself from Heartbleed?

Server Administrators The real onus for addressing heartbleed falls on the shoulders of Apache system administrators. They need to upgrade OpenSSL to version 1.0.1g, revoke their SSL certificates, generate new SSL certificates and private keys, and get new certificates from their SSL vendor.

After they complete all of that, it's time to notify end users so they can change their login passwords.

End Users and Website Owners You guys are at the mercy of the site hosts, meaning the server administrators. Users can contact the companies they deal with online to find out what they're doing about heartbleed.

Make sure your Mac is set to recognize revoked certificates by setting Keychain Access to recognize revoked certificates. Here's how:

  • Go to Applications > Utilities > Keychain Access
  • Launch Keychain Access
  • Go to the Keychain Access menu and choose Preferences
  • Click the Certificates tab
  • Set Online Certificate Status Protocol and Certificate Revocation List to Best Attempt
  • Set Priority to OCSP

Keychain Access settings to watch for revoked certificatesKeychain Access settings to watch for revoked certificates

This will tell every application that relies on your Mac's built-in keychain to avoid revoked certificates. That includes Safari and Mail, as well as many other applications.

Google Chrome has its own settings to monitor certificate validity, but they're off by default. To check for revoked certificates in Chrome, do this:

  • Launch Chrome
  • Go to the Chrome menu and choose Preferences
  • Click Settings, then scroll to the bottom and clich Show advanced settings
  • Click Check for server certificate revocation in the HTTPS/SSL section

Chrome's certificate revocation settingsChrome's certificate revocation settings

Firefox checks for revoked certificates by default. If you want to double check to make sure that's what's happening, do this:

  • Launch Firefox and go to Firefox > Preferences
  • Choose the Advanced tab
  • Select Certificates
  • Click Validation
  • Use the Online Certificate Status Protocol (OCSP) to confirm the current validity of certificates should be checked

Website owners should contact their service providers to find out if they are susceptible to heartbleed and whether or not new SSL certificates have been generated. If your site relies on your own SSL certificates, there's a good chance you'll need to generate new ones. Be sure to ask your site host.

If you're a WordPress user, Wordfence has a great post on exactly what you need to do to make sure your sites are heartbleed-proof. Also change your site's password salts to force users to logout.

Short version: Once your host updates OpenSSL, you and everyone else with logins to your WordPress site will be changing passwords.

Comments

Bosco (Brad Hutchings)

It’s a good thing that Google’s known strategy of selling out their customers gave them the incentive to identify this problem!

gnasher729

Has anyone ever claimed that Google is selling out their customers? The problem is that end users are not Google’s customer, but the product.

Lee Dronick

How does iOS 7 deal with the certificates? Do we need to do anything on those devices to protect ourselves?

John Dingler, artist

Hi Jeff,
Safari user. Thanks.

John Dingler, artist

By the way, thanks for this clear step-by-step instruction. But I am sure that committed trespassers will figure out ways to skirt the roadblock to their shenanigans.

Paul Goodwin

Just for my education, in the vulnerable/not vulnerable site list, what does it mean when it says “No SSL”? It was obvious that it wasn’t vulnerable. Do they have their own encryption technology?

Macfox

Thanks Jeff for this update. I’m checking my browsers now. This is just one of the great reasons for TMO: you are all great!

wab95

Jeff:

Just wanted to say thank you for posting this excellent analysis of what heartbeat and Heartbleed are, are not, and what we can do about it. I’ve taken the liberty of sharing this page with a number of friends and family who’ve been sending me both articles on the phenomenon (some not so well informed or accurate) as well as requests for how to respond to it.

Knowledge is a powerful antidote to fear.

Bart B

Great article Jeff - it’s not at all easy to explain this stuff in a way that’s clear to regular folks, while still being accurate. The line between over simplification and information overload can be very hard to find, but I think this is pretty darn close to perfect smile

Log-in to comment