Heartbleed Bug

Published in

Servertastic

3 min readApr 11, 2014

If you have been doing anything on the internet over the last few days you will probably have come across articles about the Heartbleed Bug. Many of your favourite services may have sent you password reset emails.

About the Bug

For a complete technical overview of the bug I recommend you take a look at The Heartbleed Bug. For my simple explanation read on.

The bug itself exists only in a certain subset of OpenSSL versions. It is NOT a virus nor is it something that infects your computer or server. It is a bug in the OpenSSL software used by many servers to encrypt internet communications.

The bug has existed for around the last 2 years. However there is no evidence that it has been exploited in the wild (but there is no evidence that it also has not been exploited!). Potentially this bug could be what the NSA was referring to when it talked about “ssl added and removed here”.

How can I check if my site is vulnerable?

You can test any website using the Symantec SSL Toolbox

If your site is vulnerable please take a look at our support article: OpenSSL Vulnerability TLS heartbeat read overrun (CVE-2014–0160)

Do not change your passwords

Many of the articles you will read suggest you should immediately go and change all your internet passwords. Before you do this you should check if the provider is still vulnerably or not. If you change your password while they remain vulnerable then new password could be intercepted. Use the Symantec SSL Toolbox to check. If they are not vulnerable then you can change your password.

Some services have not been affected by this bug at all. Hotmail and Apple for instance have not been using an affected version therefore there is no need to change your password (although regularly changing your password is advisable).

Was Servertastic affected?

The quick answer is Yes. The slightly more complicated answer is “not as much as others”. Part of our network was using a vulnerable version of OpenSSL. This is now patched and our certificates have been re-issued. Since January 2013 we have been using forward secrecy. This means that if our private key was ever exposed past sessions could not be decrypted. But it is possible someone could have used the vulnerability to intercept live traffic. There are many variables that need to be in place for this to happen which makes the odds very small, but not zero.

Next Steps

Check if any of the services you use have been or remain affected. Most providers will give you advice on what to do. If you feel it is necessary reset your passwords. Servertastic customers you can do this via the My Account section. Resellers may want to regenerate their API key.

If you purchased an SSL certificate from Servertastic and have/had a vulnerable system please refer to OpenSSL Vulnerability TLS heartbeat read overrun (CVE-2014–0160)