Friday, April 11, 2014

Is your site vulnerable to the OpenSSL hearbleed flaw?

I was lazy (or too busy?) to write another blog (the last one was written in 2012) - there are so many of them on the Net these days, however, I feel urge to share useful information with those who run the web sites.

You may already know about the widely publicized heartbleed bug ( that may be impacting more than 500,000 systems across the Internet. Heartbleed is a bug in the OpenSSL program in v. 1.0.1 up to 1.1.f that is being used for encrypted communication in the VPN and web sites across the world. The design flaw in the program makes the information that seats in the resident memory exposed to the hacking. The information itself may contain user’s credentials including credit card numbers as well as private keys of your file server that are being used for encrypted communication.

This flaw may impact many communication systems that use VPN, SSL, Cisco IP phones, VMWare servers. We all appreciate when the flaw if discovered BEFORE actual attacks occur, so, this time it was a timely message to the world community, and most of the vendors applied the fix or workarounds.

There are few workarounds suggested:

1)      Change the communication port 443 being used by SSL

2)      Use the firewall rule to drop all SSL heartbeat requests. For instance, with the iptables module (thanks to guys for tip):

iptables -t filter -A INPUT  -p tcp --dport 443  -m u32 --u32 \ 52=0x18030000:0x1803FFFF" -j DROP

Perhaps, you can test if your site is vulnerable by using the following URL from Qualys SSL Lab:

Below is the result of the test with site:

Quite a detailed report that will follow the Summary with contain plenty of information about the certificates your site is using, algorithms, protocols, ciphers, and even handshake simulation with all known browsers including mobile.

Any confusing information can be investigated further because the lab provides the links to more information. Highly recommended!