How Do I Know if My Servers are Affected?
As a users, you probably won't have direct access to the version number for OpenSSL running on the servers you connect to. For that, you'll have to rely on the server host to tell you whether or not they're susceptible to heartbleed. You can also check out the Github list of known heartbleed-susceptible domains.
If you're in charge of an Apache server, you can check your OpenSSL version by running this command:
This only tells you which version of OpenSSL you're running. Spoiler: If it's earlier than 1.0.1g, you have a problem. Also, there isn't a way to tell if your SSL keys have been taken, so you should assume they have.
Which Versions of OpenSSL are Susceptible to Heartbleed?
The code bug that makes heartbleed possible was introduced in March 2012, and wasn't patched until April 7, 2014. That leaves two years for hackers to potentially take exploit the flaw.
- OpenSSL versions 1.0.1 through 1.0.1f are vulnerable
- OpenSSL 0.9.8 and 1.0.0 branches are not vulnerable
OpenSSL 1.0.1g, released on April 7, patches the flaw and is already being deployed on Apache servers.