{"id":803,"date":"2014-04-11T08:39:22","date_gmt":"2014-04-11T12:39:22","guid":{"rendered":"http:\/\/www.bhargavs.com\/?p=803"},"modified":"2014-04-11T08:39:22","modified_gmt":"2014-04-11T12:39:22","slug":"what-does-heartbleed-vulnerability-mean-to-you","status":"publish","type":"post","link":"https:\/\/bhargavs.com\/index.php\/2014\/04\/11\/what-does-heartbleed-vulnerability-mean-to-you\/","title":{"rendered":"What does Heartbleed vulnerability mean to you"},"content":{"rendered":"

A lot has been said lately of Heartbleed since its announcement few days ago. However, as it goes with overload of information at times, media attention has managed to create mass confusion and hysteria on this topic. Hopefully this post will help answer some of your questions. Let\u2019s try to break it down<\/p>\n

The Vulnerability<\/h3>\n

The issue stems from a bug in OpenSSL\u2019s implementation of TLS heartbeat extensions. While trying to optimize use of resources when decrypting\/encrypting SSL traffic, programming mistake is claimed to have created this vulnerability. Such is nature of software development. Sometimes we don\u2019t realize full effect of a change that seems to have desired effect we are trying to achieve. Certainly why holistic approach to secure coding should be paramount for any development projects.<\/p>\n

While the vulnerability was made public recently, it has been out in wild since March of 2012 when OpenSSL 1.0.1 was released. OpenSSL versions 1.0.1 through 1.0.1f are affected. Versions prior to 1.0.1, OpenSSL 1.0.0\/OpenSSL 0.9.8 are not affected. 1.0.1g released on 7th April 2014 isn\u2019t affected either.<\/p>\n

So take that 2 years between March 2012 and now, and let\u2019s ask ourselves what was at stakes in those 2 years. The issue allowed attacker to read memory of the application\/device running affected version of OpenSSL, allowing them to gain access to data from clients and to clients from that application\/device. This included primary and secondary keys of SSL certificates used to encrypt data from client to server, and all the data that was in flight or in memory between client and server. This includes your passwords and any protected data users were sending to compromised services.<\/p>\n

Pretty serious\u2026<\/p>\n

The Impact<\/h3>\n

So where could these affected OpenSSL versions have been in use?<\/p>\n

Since OpenSSL is the most popular open source crypto library and TLS implementation used for encryption, it reaches beyond secure websites to email servers, VPN concentrators, Load balancers and ADCs that may be used for SSL offload and bridging, even client side software that uses these extensions. Even in places you would tend to not look. Take Microsoft Lync client for an example. While it may not be affected by OpenSSL bug per this post<\/a> from Microsoft, it was surprising to find that even some of Microsoft software was relying on this open source software!<\/p>\n

Actions you can take<\/h3>\n

For an end user, find out if any of the services you have been using is impacted. There are many websites that can verify and report if the service are vulnerable. One of them is http:\/\/possible.lv\/tools\/hb<\/a>. If you find out that your favorite banking portal or email service or the technology forum you visit regularly is affected, first thing you can do is stop using it and contact vendor to find out their plan to fix the vulnerability. There have been articles suggesting to immediately change your passwords, that\u2019s the worst thing you can do. Reason being, if you change the password and the service hasn\u2019t yet fixed the vulnerability, you are only providing new password out in the open. Whether someone is actively exploiting it or not is different story but would you take that chance? I wouldn\u2019t!<\/p>\n

For an IT Pro, architects, systems engineers, you should take a holistic look at your systems and find out what could be affected by this vulnerability. Reach out to vendors of each of those applications\/devices and formulate strategy to apply fixes. It doesn\u2019t end there however. You need to also replace all certificates that were in use during the exposure. This is important because what good are those certificates even if you fix the vulnerability? The attacker might have keys to the kingdom already unless you change the lock itself!<\/p>\n

Lastly, as an organization affected by the vulnerability, you need to analyze what the impact was on your data and if secured data was compromised in any way. This might be more difficult as it has far reaching impact both financially and politically. But transparency is the best policy that goes long way in winning customer trust. Even if initial announcement of impact might look like bad news you want to avoid.<\/p>\n

There is lot of good information available on http:\/\/heartbleed.com\/<\/a> if you want to keep digging for more. <\/p>\n

Cheers!<\/p>\n","protected":false},"excerpt":{"rendered":"

A lot has been said lately of Heartbleed since its announcement few days ago. However, as it goes with overload of information at times, media attention has managed to create […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"pgc_sgb_lightbox_settings":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[24,26],"tags":[94,127,141,142,160,174],"class_list":["post-803","post","type-post","status-publish","format-standard","hentry","category-security","category-technology","tag-bug","tag-exchange-server","tag-heartbleed","tag-heartbleed-bug","tag-lync-server","tag-microsoft"],"yoast_head":"\nWhat does Heartbleed vulnerability mean to you - Bhargav's IT Playground<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/bhargavs.com\/index.php\/2014\/04\/11\/what-does-heartbleed-vulnerability-mean-to-you\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What does Heartbleed vulnerability mean to you - Bhargav's IT Playground\" \/>\n<meta property=\"og:description\" content=\"A lot has been said lately of Heartbleed since its announcement few days ago. However, as it goes with overload of information at times, media attention has managed to create […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/bhargavs.com\/index.php\/2014\/04\/11\/what-does-heartbleed-vulnerability-mean-to-you\/\" \/>\n<meta property=\"og:site_name\" content=\"Bhargav's IT Playground\" \/>\n<meta property=\"article:published_time\" content=\"2014-04-11T12:39:22+00:00\" \/>\n<meta name=\"author\" content=\"Bhargav\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Bhargav\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/bhargavs.com\\\/index.php\\\/2014\\\/04\\\/11\\\/what-does-heartbleed-vulnerability-mean-to-you\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/bhargavs.com\\\/index.php\\\/2014\\\/04\\\/11\\\/what-does-heartbleed-vulnerability-mean-to-you\\\/\"},\"author\":{\"name\":\"Bhargav\",\"@id\":\"https:\\\/\\\/bhargavs.com\\\/#\\\/schema\\\/person\\\/28f6d8c9b29f3a879483d65fc2ab5e26\"},\"headline\":\"What does Heartbleed vulnerability mean to you\",\"datePublished\":\"2014-04-11T12:39:22+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/bhargavs.com\\\/index.php\\\/2014\\\/04\\\/11\\\/what-does-heartbleed-vulnerability-mean-to-you\\\/\"},\"wordCount\":724,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/bhargavs.com\\\/#\\\/schema\\\/person\\\/28f6d8c9b29f3a879483d65fc2ab5e26\"},\"keywords\":[\"Bug\",\"Exchange Server\",\"HeartBleed\",\"Heartbleed Bug\",\"Lync Server\",\"Microsoft\"],\"articleSection\":[\"Security\",\"Technology\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/bhargavs.com\\\/index.php\\\/2014\\\/04\\\/11\\\/what-does-heartbleed-vulnerability-mean-to-you\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/bhargavs.com\\\/index.php\\\/2014\\\/04\\\/11\\\/what-does-heartbleed-vulnerability-mean-to-you\\\/\",\"url\":\"https:\\\/\\\/bhargavs.com\\\/index.php\\\/2014\\\/04\\\/11\\\/what-does-heartbleed-vulnerability-mean-to-you\\\/\",\"name\":\"What does Heartbleed vulnerability mean to you - Bhargav's IT Playground\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/bhargavs.com\\\/#website\"},\"datePublished\":\"2014-04-11T12:39:22+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/bhargavs.com\\\/index.php\\\/2014\\\/04\\\/11\\\/what-does-heartbleed-vulnerability-mean-to-you\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/bhargavs.com\\\/index.php\\\/2014\\\/04\\\/11\\\/what-does-heartbleed-vulnerability-mean-to-you\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/bhargavs.com\\\/index.php\\\/2014\\\/04\\\/11\\\/what-does-heartbleed-vulnerability-mean-to-you\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/bhargavs.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What does Heartbleed vulnerability mean to you\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/bhargavs.com\\\/#website\",\"url\":\"https:\\\/\\\/bhargavs.com\\\/\",\"name\":\"Bhargav's IT Playground\",\"description\":\"Passion for Technology. Power of Collaboration.\",\"publisher\":{\"@id\":\"https:\\\/\\\/bhargavs.com\\\/#\\\/schema\\\/person\\\/28f6d8c9b29f3a879483d65fc2ab5e26\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/bhargavs.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/bhargavs.com\\\/#\\\/schema\\\/person\\\/28f6d8c9b29f3a879483d65fc2ab5e26\",\"name\":\"Bhargav\",\"logo\":{\"@id\":\"https:\\\/\\\/bhargavs.com\\\/#\\\/schema\\\/person\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/bhargavs.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What does Heartbleed vulnerability mean to you - Bhargav's IT Playground","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/bhargavs.com\/index.php\/2014\/04\/11\/what-does-heartbleed-vulnerability-mean-to-you\/","og_locale":"en_US","og_type":"article","og_title":"What does Heartbleed vulnerability mean to you - Bhargav's IT Playground","og_description":"A lot has been said lately of Heartbleed since its announcement few days ago. However, as it goes with overload of information at times, media attention has managed to create […]","og_url":"https:\/\/bhargavs.com\/index.php\/2014\/04\/11\/what-does-heartbleed-vulnerability-mean-to-you\/","og_site_name":"Bhargav's IT Playground","article_published_time":"2014-04-11T12:39:22+00:00","author":"Bhargav","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Bhargav","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/bhargavs.com\/index.php\/2014\/04\/11\/what-does-heartbleed-vulnerability-mean-to-you\/#article","isPartOf":{"@id":"https:\/\/bhargavs.com\/index.php\/2014\/04\/11\/what-does-heartbleed-vulnerability-mean-to-you\/"},"author":{"name":"Bhargav","@id":"https:\/\/bhargavs.com\/#\/schema\/person\/28f6d8c9b29f3a879483d65fc2ab5e26"},"headline":"What does Heartbleed vulnerability mean to you","datePublished":"2014-04-11T12:39:22+00:00","mainEntityOfPage":{"@id":"https:\/\/bhargavs.com\/index.php\/2014\/04\/11\/what-does-heartbleed-vulnerability-mean-to-you\/"},"wordCount":724,"commentCount":0,"publisher":{"@id":"https:\/\/bhargavs.com\/#\/schema\/person\/28f6d8c9b29f3a879483d65fc2ab5e26"},"keywords":["Bug","Exchange Server","HeartBleed","Heartbleed Bug","Lync Server","Microsoft"],"articleSection":["Security","Technology"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/bhargavs.com\/index.php\/2014\/04\/11\/what-does-heartbleed-vulnerability-mean-to-you\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/bhargavs.com\/index.php\/2014\/04\/11\/what-does-heartbleed-vulnerability-mean-to-you\/","url":"https:\/\/bhargavs.com\/index.php\/2014\/04\/11\/what-does-heartbleed-vulnerability-mean-to-you\/","name":"What does Heartbleed vulnerability mean to you - Bhargav's IT Playground","isPartOf":{"@id":"https:\/\/bhargavs.com\/#website"},"datePublished":"2014-04-11T12:39:22+00:00","breadcrumb":{"@id":"https:\/\/bhargavs.com\/index.php\/2014\/04\/11\/what-does-heartbleed-vulnerability-mean-to-you\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/bhargavs.com\/index.php\/2014\/04\/11\/what-does-heartbleed-vulnerability-mean-to-you\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/bhargavs.com\/index.php\/2014\/04\/11\/what-does-heartbleed-vulnerability-mean-to-you\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/bhargavs.com\/"},{"@type":"ListItem","position":2,"name":"What does Heartbleed vulnerability mean to you"}]},{"@type":"WebSite","@id":"https:\/\/bhargavs.com\/#website","url":"https:\/\/bhargavs.com\/","name":"Bhargav's IT Playground","description":"Passion for Technology. Power of Collaboration.","publisher":{"@id":"https:\/\/bhargavs.com\/#\/schema\/person\/28f6d8c9b29f3a879483d65fc2ab5e26"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/bhargavs.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/bhargavs.com\/#\/schema\/person\/28f6d8c9b29f3a879483d65fc2ab5e26","name":"Bhargav","logo":{"@id":"https:\/\/bhargavs.com\/#\/schema\/person\/image\/"},"sameAs":["https:\/\/bhargavs.com"]}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":799,"url":"https:\/\/bhargavs.com\/index.php\/2014\/04\/08\/fix-your-kemp-loadmaster-for-heartbleed-bug\/","url_meta":{"origin":803,"position":0},"title":"How to protect your KEMP LoadMaster and applications from Heartbleed bug","author":"Bhargav","date":"April 8, 2014","format":false,"excerpt":"If you haven\u2019t read about heartbleed bug, it\u2019s pretty serious one you should know about. In a nutshell it exploits OpenSSL vulnerability to read system memory of computers\/machines\/applicances protedted by affected versions of OpenSSL. This means a hacker can steal your encryption keys as well as see unencrypted form of\u2026","rel":"","context":"In "KEMP"","block_context":{"text":"KEMP","link":"https:\/\/bhargavs.com\/index.php\/category\/technology\/load-balancing\/kemp\/"},"img":{"alt_text":"image","src":"https:\/\/i0.wp.com\/bhargavs.com\/wp-content\/uploads\/2014\/04\/image_thumb.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":485,"url":"https:\/\/bhargavs.com\/index.php\/2012\/11\/26\/createcluster-failed-with-0x5-adding-members-to-dag-in-exchange-2013\/","url_meta":{"origin":803,"position":1},"title":"CreateCluster() failed with 0x5 adding members to DAG in Exchange 2013","author":"Bhargav","date":"November 26, 2012","format":false,"excerpt":"UPDATE: While TechNet article \u201cCreate a Database Availability Group\u201d only mentions Windows 2008 R2 domain controllers, I must thank Scott Schnoll for the following clarification: \"Creating an Exchange 2013 DAG with Mailbox servers on Windows Server 2012? You must pre-stage CNO before adding first server!\". TechNet documentation will be updated\u2026","rel":"","context":"In "Exchange 2013"","block_context":{"text":"Exchange 2013","link":"https:\/\/bhargavs.com\/index.php\/category\/microsoft\/exchange-server\/exchange-2013\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1686,"url":"https:\/\/bhargavs.com\/index.php\/2012\/10\/18\/mvp-webinar-load-balancing-lync-2010-2013-in-the-real-world\/","url_meta":{"origin":803,"position":2},"title":"MVP Webinar: Load Balancing Lync 2010 & 2013 in the Real World","author":"Bhargav","date":"October 18, 2012","format":false,"excerpt":"UPDATE: KEMP Technologies has posted video recording of webinar which can be accessed here: http:\/\/www.kemptechnologies.com\/KEMP-lync-modality-webinar\/ Slide Deck is available here:KEMP Lync Webinar Kemp Technologies is hosting a complimentary webinar on November 8 where we will be discussing Load Balancing for Lync 2010 and 2013. I have included details about webinar\u2026","rel":"","context":"In "Events"","block_context":{"text":"Events","link":"https:\/\/bhargavs.com\/index.php\/category\/events\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":973,"url":"https:\/\/bhargavs.com\/index.php\/2014\/08\/29\/scvmm-bare-metal-deployment-failure-with-supermicro-servers\/","url_meta":{"origin":803,"position":3},"title":"SCVMM bare metal deployment failure with SuperMicro servers","author":"Bhargav","date":"August 29, 2014","format":false,"excerpt":"I am not sure if laziness is side effect of automation or automation was born out of laziness, either way it has helped transform IT by increasing efficiency and reducing errors while performing repetitive tasks. It removes human element of error, it increases speed of deployments and it frees up\u2026","rel":"","context":"In "System Center VMM"","block_context":{"text":"System Center VMM","link":"https:\/\/bhargavs.com\/index.php\/category\/cloud\/system-center-vmm\/"},"img":{"alt_text":"image","src":"https:\/\/i0.wp.com\/bhargavs.com\/wp-content\/uploads\/2014\/08\/image_thumb.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":1649,"url":"https:\/\/bhargavs.com\/index.php\/2010\/05\/19\/script-to-configure-static-ports-on-exchange-server-2010\/","url_meta":{"origin":803,"position":4},"title":"Script to configure static ports on Exchange Server 2010","author":"Bhargav","date":"May 19, 2010","format":false,"excerpt":"This post is depricated. Please use newer version of script and read more details here: http:\/\/www.bhargavs.com\/index.php\/2011\/10\/21\/script-to-configure-static-ports-on-exchange-server-2010-2\/ If you are planning to implement or are implementing Exchange Server 2010, you may have already noticed that with new changes introduced in this version we highly recommend that you load balance your CAS\u2026","rel":"","context":"In "Exchange 2010"","block_context":{"text":"Exchange 2010","link":"https:\/\/bhargavs.com\/index.php\/category\/microsoft\/exchange-server\/exchange-2010\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1651,"url":"https:\/\/bhargavs.com\/index.php\/2010\/04\/07\/how-to-install-update-rollups-remotely-on-exchange-2010-server\/","url_meta":{"origin":803,"position":5},"title":"How to install Update Rollups remotely on Exchange 2010 server","author":"Bhargav","date":"April 7, 2010","format":false,"excerpt":"If you are like me, you are always looking for ways to not leave your chair, or for that matter, not switch windows. When it comes to install Update Rollups on every Exchange 2010 server you have, the same applies. So I set out to find a way and I\u2026","rel":"","context":"In "Exchange 2010"","block_context":{"text":"Exchange 2010","link":"https:\/\/bhargavs.com\/index.php\/category\/microsoft\/exchange-server\/exchange-2010\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_shortlink":"https:\/\/wp.me\/pkROc-cX","_links":{"self":[{"href":"https:\/\/bhargavs.com\/index.php\/wp-json\/wp\/v2\/posts\/803","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bhargavs.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bhargavs.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bhargavs.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bhargavs.com\/index.php\/wp-json\/wp\/v2\/comments?post=803"}],"version-history":[{"count":0,"href":"https:\/\/bhargavs.com\/index.php\/wp-json\/wp\/v2\/posts\/803\/revisions"}],"wp:attachment":[{"href":"https:\/\/bhargavs.com\/index.php\/wp-json\/wp\/v2\/media?parent=803"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bhargavs.com\/index.php\/wp-json\/wp\/v2\/categories?post=803"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bhargavs.com\/index.php\/wp-json\/wp\/v2\/tags?post=803"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}