First published: Apr 11, 2014, 3:00pm -0700
Last edited: Apr 11, 2014, 3:00pm -0700

Heartbleeding OpenSSL Checklist

This article was originally posted on Space Monkey’s blog.

So, you’re a company that uses SSL and just found out about the “Heartbleed OpenSSL bug” (if you are instead a Space Monkey customer and want to know more about how this affects you, please see this blog post).

Did you (in order):

  1. Patch and/or upgrade all of your OpenSSL-using services including any client software you might ship (clients are vulnerable too)?
  2. Download and use a vulnerability detector or use the excellent Qualys SSL Labs server tester to make sure your services are no longer vulnerable to future incursions?
  3. Reissue new private keys and certificates to all of your OpenSSL-using services?
  4. Revoke your old certificates?
  5. Enable forward secrecy? (Don’t expect to be able to enable forward secrecy for every possible browser. Cipher suites are a diverse and tricky thing.)
  6. Do a quick sanity check on forward secrecy with the Qualys SSL Labs server tester? (If you’re a user and want to check out other websites too, it’s a great resource.)
  7. Invalidate all user sessions?
  8. Tell users it is now safe and recommended to change their passwords? It doesn’t make any sense for users to change their passwords (and they are being told to en masse) until you patch your holes. (As a user, make sure to use a vulnerability detector prior to changing your password.)
  9. Invalidate any other secret or private data that you can that was accessible by or transferred through the process doing SSL termination?
  10. Do all of the above in the right order?
  11. Make sure to change your passwords with external services?
  12. Donate money or resources to OpenSSL?

Why you should donate to OpenSSL

As Matthew Green pointed out, OpenSSL (and other cryptographic libraries) should really be considered Critical Infrastructure. OpenSSL is developed by a very dedicated but woefully underfunded team, even though two-thirds of the Internet rely on it.

Many people have called for OpenSSL’s metaphorical head due to this fiasco. The pragmatic truth is tons of systems rely on OpenSSL that frankly aren’t going to be able to migrate to something else anytime soon. As a result, one of the best things we can do to help Internet security and safety in general is to help OpenSSL get better audited. As Dan Kaminsky wrote, we need to dedicate genuine resources to supporting critical code.

Like two-thirds of the Internet, we rely on OpenSSL heavily. Recent news reports suggest that OpenSSL received a grand total of $841 in donations since the heartbleed bug was dropped on the Internet at large. This is tragic. We’re donating, and you should, too.

We need OpenSSL to be safe, so we’re donating $1000 to the OpenSSL project. Are you donating?

Let’s work together to end this era of underfunding crucial Internet components.