What is Heartbleed, and why should I care?If you've paid any attention to tech news over the last few days, you may have heard of a serious vulnerability called Heartbleed. In a nutshell, this is a vulnerability found in OpenSSL. What's OpenSSL? It's the program used by many web servers to provide HTTPS access via Transport Layer Security (TLS, which we used to call SSL). In other words, when you open a browser and buy something on Amazon, or log into Google Apps, you're connecting to a web server that uses TLS.
Uh-oh, I use Amazon/Gmail/Facebook, do I have to worry?
Uh-oh, I run a web server myself! Do I have to worry?
Also, in theory, it's possible that an attacker was able to read some data on your server before you fixed it. This could be anything stored in memory: user passwords, database credentials, even the private key used by your TLS certificates! There isn't really a fix for that other than to change ... everything. Have fun!
What web servers rely on OpenSSL?
|One of the two OpenSSL DLLs on Windows, showing the version number|
Wait, you mean only Microsoft IIS is immune to this?
I'm running an SMTP/IMAP/SSL VPN/FTP/stunnel server. Do I have to worry?
If you're using Adobe Connect and have it installed on your own network, you may be using stunnel with it to handle TLS. If so, you may need to replace the OpenSSL libraries there as well. This only applies to locally-installed Connect servers, not those hosted by Adobe or other vendors.
I'm using OpenSSL in a client to connect to another server. Do I need to do anything?
[UPDATE - I've received additional information about client vulnerabilities from a security professional acquaintance - I am not a security professional, just a very scared system administrator - and it appears that clients can, in fact, be attacked via MITM - a compromised server is not necessary. So, at a minimum, update your client OpenSSL libraries too.]