The security issue related to OpenSSL has been all over the news in the last couple of days.
It is indeed a very bad issue, one that can let an attacker access the login details, including passwords, of registered users from vulnerable Websites/Servers. Yahoo mail, was one of those sites…out of nearly a million others!
This vulnerability has been around for 2 years, it affects servers using OpenSSL 1.0.1 through 1.0.1f (inclusive).
Those servers could be running consumer websites or other applications. For example, the Network Security Monitoring suit: Security Onion, was vulnerable until yesterday when a security fix/update was released. The same applies to the Penetration Testing platform Kali 1.06, which was vulnerable until today!
If those applications/environments were internet facing, userids and passwords may have been compromised in the last 2 years.
This issue allows the attacker to access the memory of a vulnerable server, it means that unless you have logged on recently to that server your credentials are unlikely to be in its memory. Although we don’t know who knew about the issue, now everyone knows! and a lot of people now have access to exploits to leverage this issue.
What does it mean?
It means that by blindly changing your passwords on all the websites you have registered in the past, you might end up making it worse for yourself!
Indeed, if the servers you are changing your credentials on are still vulnerable, all you would be doing is loading your shiny new passwords into the servers’ memory waiting to be hacked!
Therefore you should only change your passwords on servers/websites that are no longer vulnerable. To find out, you can ask the relevant webmaster or use one of those online/scripts checks available in the following links:
And if you own such servers and have access to its command prompt, a simple “openssl version” should give you the version you are running.
Below is a link to a first hand account as to how it was discovered and fixed in one company, it is a great story with great insight:
What is important though, is not to panic. Stay calm, and carry on! You should soon receive emails from a lot of websites telling you they have patched their system and recommend you reset your password.
Along with those genuine emails, you can expect a lot of spam emails so it is even more important to take your time and check those “reset password links”.
EDIT – 11th of April:
As discussed in the link below, it is interesting to note this vulnerability is also impacting client applications using openssl to protect their connection. We have yet to see the full impact this issue will have for both servers and clients!
Also, as usual, xkcd has produced a great piece of comic describing the issue :)