5 no-bull facts you need to know about Heartbleed right now

With all the noise and furor over Heartbleed, it’s hard to filter through through the clamor and get to the heart of what’s truly important, both in the short and in the long term. Here, then, are the five most crucial aspects of Heartbleed users and admins alike need to know about the worst news in Internet security in a long time.

1. The problem is bad, no question about it

Heartbleed is the name of a bug discovered in OpenSSL, a widely used suite for providing SSL functionality to various server OSes. The bug allows an attacker to read out portions of memory from a system affected by the bug, allowing everything from the theft of certificate keys to impersonation of users and services.

This is bad news — real bad. It’s bad enough that it’s made the front page of the New York Times website; bad enough that InfoWorld’s Roger Grimes says it’s worse than you think; bad enough that no less an authority on security than Bruce Schneier called it “catastrophic,” and “On the scale of 1 to 10, this is an 11.” In all, two-thirds of the sites on the entire Internet may be affected, according to Ars Technica’s educated guesswork.

2. It’s not hard to find out if you’ve been affected

Now for some good news: it’s not difficult to test servers and determine if they’re vulnerable. At least three online tests are out there: one by security firm Possible.lv, one by Filippo Valsorda, and one called “Reverse Heartbleed” that tests if a client is vulnerable, not just servers.

Testing servers en masse may be a different story, though. Crypto professor and researcher Matthew Green went into detail about the bug on his site and has linked to a try-at-your-own-risk Python 2.6 script that can be used to automate testing across multiple machines.

3. Patching OpenSSL may not be enough

If you’ve found your machines are vulnerable, the solution is to either recompile OpenSSL with a certain option disabled or swap in a version of OpenSSL that isn’t vulnerable to the bug. The method varies between platforms, but a few good tutorials have already started to appear: how to deal with the problem on either CentOS or Ubuntu, for instance. The folks at Pantheon have also talked about how they patched 60,000 Drupal and WordPress sites in a matter of hours.

But patching OpenSSL may only be the tip of the required mitigation efforts. Because Heartbleed theoretically allows the theft of certificate keys, SSL certificates themselves may either need to have their certificates regenerated or rekeyed. This isn’t a trivial operation, since it means a site’s SSL functionality will be unavailable while new keys are regenerated. If your SSL certificates have been generated by a hosting provider (such as GoDaddy), odds are you’ll be at its mercy until the new certificates have been issued.

What’s more, if a site can’t perform commerce or other crucial activities with SSL out, it’s effectively dead in the water while SSL is disabled. Canada’s online tax filing services had to be shut down completely in the wake of Heartbleed, leaving filers out in the cold right before their tax deadlines.

4. It’s going to be difficult to find out what’s been stolen

Because the bug allows for the arbitrary dumping of memory from a server, finding out what, if anything, might have been filched from a vulnerable server is going to be tough without detailed audits of network logs — assuming they even exist.

The most proactive route would be to assume anything sensitive that might have been dumped has been dumped and to set about changing anything that can be changed. Again, that’s a massive undertaking for most organizations, so it makes sense to change the most immediate, sensitive items first: user passwords, certificates and keys if possible, and then on down the line.

Mashable has been keeping a list of popular sites where you might need to change your password as an additional security measure. Note that such a move is only likely to protect you so much if a thief made off with an SSL session key or an item not explicitly protected by a user’s password. Still, it’s not a bad idea to rotate passwords on affected sites.

5. It’s not a good sign for our unquestioning reliance on unaudited open source code

Much of the criticism about the bug has revolved around how it apparently emerged as a by-product of OpenSSL’s convoluted codebase, maintained by a small and rather insular team. Green notes that the bug was originally introduced back in December 2011, through an extremely trivial oversight.

That’s bad enough, but also disturbing is how Heartbleed remained undetected by the major concerns using OpenSSL. For example, Facebook and Google were both affected by Heartbleed, but neither appear to have been proactively auditing OpenSSL’s code — not even after they made moves to switch their public-facing services over to SSL by default in the wake of the Snowden revelations. Various ironies abound because of this: As it turns out, sites built on Microsoft Windows Server and IIS — closed source products — are not vulnerable to this bug.

We’re quick to depend on projects like OpenSSL for critical infrastructure, but we’re not as quick to ensure they are what they say they are. Finding a more consistent way to do that — not just in any one given company, but industry-wide — seems like a mission worth taking up.

This article, “5 no-bull facts you need to know about Heartbleed right now,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.