How to defend against the OpenSSL Heartbleed flaw

10.04.2014

Fortunately, the OpenSSL Project, the stewards of the protocol, have released a patch, so security pros can get started right away in deploying the fix.

The next step would be to change the SSL certificates used by the servers, since there is no way of knowing whether they have been compromised. An attacker exploiting the flaw can do so without leaving a trace.

"If an attacker has the private key for SSL, they can decrypt any sort of communications that may have been archived in the past and any future communications using that same public/private certificate," said Michael Coates, product director for Shape Security and chairman of the Open Web Application Security Project (OWASP).

Once certificates have been changed, the next step is to have people who use the affected systems change their passwords.

"It's definitely prudent to evaluate the risk posture of the organization and decide whether you want to force a password rotation for your user base," Coates said.

Zur Startseite