What to expect from services following Heartbleed

Any web service you use that uses HTTPS could have been vulnerable to the OpenSSL Heartbleed vulnerability. It’s been a couple of days now since the vulnerability was made public, so I think it’s reasonable to expect any service to have issued some kind of statement.

There are two acceptable formats:

• We never used an affected version of OpenSSL.

OR

• We were using an affected version of OpenSSL. We have now:
  • Updated OpenSSL to a fixed version,
  • Recreated SSL keys and certificates,
  • Revoked old SSL certificates.

  We suggest that you log out of any active sessions, and change any passwords or authentication tokens.

Simply updating OpenSSL is not enough, since (as appears to be the case) the vulnerability does allow attackers to extract private keys.

The number of websites that have done this is depressingly small. You should be especially concerned if no such statement has been made and the certificate in use was not issued in the last couple of days.

GitHub has issued a model example. That’s the level of detail we should expect.

I don't host comments on my blog, but if you have thoughts or questions, you can let me know on Twitter: @hdgarrood