Don't Panic
James Gimbi
Heartbleed has been appropriately described as “catastrophic” by just about everybody. We know that credentials, taxpayer information, VPN sessions, and even SSL private keys have been compromised. And while it has only been known to us mere mortals for a few short days, there is no telling how long it has been sitting in some threat actor’s toolbox.
Yet, facing one of the more grievous vulnerabilities in recent memory, some have found a way to overreact. There have been some subtle suggestions that encryption constitutes critical infrastructure and ought to be subject to government oversight.
This is a bad idea for a myriad of practical and legal reasons, but one takes center stage. You do not let an actor with an interest in bypassing security software have a hand in steering said security software. Want a good case study? Let a dingo guard your baby. If you need something a bit more material, read this mailing thread from the Crypto Forum Research Group.
That isn’t to say we don’t need more eyes on the code. What’s cool is we are starting to see a push for independent code review, and that is about to get more common. The Open Crypto Audit Project raised funds for a formal code review of TrueCrypt, another ubiquitous encryption tool. They have had some great success, and I am eager to see what project they take on next. Wouldn’t be a bad time to tackle OpenSSL.
How should a sysadmin handle Heartbleed? Patch OpenSSL binaries. Revoke old certificates. Buy new certificates. Reset all user passwords. Take a coffee break. Ready yourself for a similar event (Perfect Forward Secrecy won’t hurt).
How should you handle Heartbleed?
- Stop calling your Congressman; put down the phone.
- Reset all your passwords.
- Take a coffee break.
- Learn to use a password manager (I like KeePass).