You can’t have failed to notice the media storm in the IT and security press around the recent vulnerability in the bedrock of the internet – SSL. The service designed to be protecting our data when sent over the big bad public wire has been wide open since early 2012 within many OpenSSL deployments (unpatched OpenSSL 1.01 or 1.02beta).
This affect both web servers and any other network based services running these versions of OpenSSL.
But what should you do? How should you respond to this vulnerability responsibly?
Step 1: Find out where your problem exists
Run a vulnerability scan on your networks and systems to find out where you have the problem. This can be done from a range of tools (vulnerability scanners).
You can also check you service for the existence of this vulnerability at:
Step 2: Patch
Many vendors, including all the major players, now have a patch out. See the list at ISC:
You need to protect your WebServers, and any other services which use the vulnerable versions of OpenSSL, from being susceptible to this issue.
Step 3: Replace any existing SSL Certificates
Simply patching does not remove the risk that any compromised keys cannot be still used to decrypt the data being sent to/from your service. You need to revoke your existing SSL certificate and request a new one to be created and installed.
Step 4: Password Resets
Any passwords that have been sent to your systems/applications may have been compromised. You should request that your users change their password. Not to another one used elsewhere, but to a new, complex unique one following good password practise.
However, please don't ask your users to change their passwords until you have patched your services and replaced any SSL certificates. In other words, follow these steps in order and only complete the next one when the previous has been completed.
For reference the original vulnerability reference can be found at:
To contact Nettitude's editor, please contact firstname.lastname@example.org.