You would have all read about the (in)famous “Heartbleed” bug. While there are a lot of articles floating around to educate you on what it is and what it can do, there’s none solving an app developer’s questions. So, here it is.
Heartbleed bug a.k.a an OpenSSL vulnerability CVE-2014-0160 was discovered on April 7 2014. This bug was introduced in OpenSSL version 1.0.1 and is out there since March 2012. OpenSSL, one of the pillars of the encryption on internet and the target victim of the bug, is widely used encryption library and is used to provide secure connections between servers and the clients. This bug has affected nearly all the major web service providers who use HTTPS to provide customers secure access to their services. It can potentially reveal the sensitive data about your customers without leaving any traces and needs to be fixed at the earliest. Amazon, Facebook, Google, Yahoo are working or have already issued the patches to this bug.
If you are a developer of the mobile and web services and managing an HTTPS server, here’s what you need to do to secure your server and your customer’s data.
1. Upgrade OpenSSL library
On Ubuntu systems:
sudo apt-get install –only-upgrade libssl1.0.0
You can recheck using the following command.
sudo openssl version -a
If the “build on” date is Apr 7 or later then your server has been patched for “Heartbleed bug”. Please reboot your server and then follow the remaining three steps.
2. Revoke all the SSL certificates on this server
3. Regenerate all SSL private keys and certificates
4. Recommend your customers to change their passwords
Very rarely it happens, that a bug can affect the core foundation of internet. This is one of the few such cases. All the major web service providers are putting together the fixes in place and it is widely feared that it will take months for nearly all the web service providers providing HTTPS services to apply these fixes and make the customer data secure.
It is also highly recommended to ask your customers to change their passwords as customers typically use same passwords across different web services and while you may have secured your service but other web services might not have done the same.
Have fun fixing the heart!!!