Heartbleed Vulnerability: Our Recommendations to Users

    The Heartbleed vulnerability , which is present in the "heartbeat" component of some versions of OpenSSL, has already been written in sufficient detail. Its main feature is that an attacker can read a certain range of memory addresses (64KB long) in a process on a server that uses this library. Using this vulnerability, attackers by sending a specially crafted request can:

    • Steal passwords / logins from your services.
    • Access confidential cookies.
    • Steal the private SSL / TLS key of the server you are working with over HTTPS (compromise HTTPS).
    • Steal any secret information that HTTPS protects (read letters, messages on the server, etc.).

    Attackers can compromise HTTPS even later (through a well-known attack such as MitM ), having in their hands a private SSL / TLS key (pretend to be a server).

    An example of successful exploitation is Yahoo, which was exposed to this vulnerability. Using Heartbleed, you could quickly access user logins and passwords in clear text. [vulnerability fixed and certificate for HTTPS was reissued] .



    We advise users:

    • Contact those. support for Internet services of companies where you have accounts (including mail, online banking) to clarify the situation regarding the potential vulnerability of these services.
    • If you received confirmation of the presence of a vulnerability or suspect that the service has been compromised, change your password there.
    • Track your online banking transactions for any suspicious activity.

    If you use the Google Chrome browser, activate the "Check if the server certificate has been revoked" option to update the website certificate information in the browser. By default, this setting is disabled.



    To administrators:

    • If you are using OpenSSL version 1.0.1 - 1.0.1f, upgrade to the latest version 1.0.1g, which contains the fix for the heartbeat component.
    • After you upgraded to OpenSSL, generate new private keys and an SSL / TLS certificate.
    • Revoke the old certificate.
    • Notify service users of the need to change passwords, as they might have been compromised.

    Also popular now: