Did you patch OpenSSL yesterday? If not, why are you reading this? Go patch!
For everyone else, go ahead and calm down. I know everyone and their uncle is screaming for your users to change their passwords and for their certs to be reissued, but I’m not one of those people. Yes, this was a terrible bug. Yes, it was widely dispersed. Yes, it could allow for some very sensitive information to be accessed.
But let’s be reasonable here. Security people are very good at finding some extremely weird software behaviors, and exploiting those behaviors to get what they want. Because widespread exploits are so coveted, even mildly dangerous ones are praised and respected by fellow security researchers.
(Related: What is Heartbleed, anyway?)
Now, I’m not saying this is mildly dangerous. What I am saying is that if you did have to patch, that does not mean you were definitely compromised. Forcing all of your users to reset their passwords is, perhaps, a tad over-reactionary.
If you’re the CIA, a bank, or something extremely sensitive, perhaps that’s a good idea. But if not, maybe that’s not the way to go. After all, Heartbleed only exposed 64KB of RAM at a time. That could be exploited repeatedly to grab a lot of different pieces of RAM, but in all likelihood, using the bug to attack a server would yield, at best, a cert, or at worst, half a login and password.
Perhaps a better approach to this exploit is to check your logs for anyone logging in from Russia or China in the last few days. This exploit is far more likely to have given an attacker a very narrow window through which to slip in than it is to have exposed Target-like swaths of credit card information.
The real thing to learn from all of this is that we seriously need to support OpenSSL with more resources, more eyeballs, and more developers. Currently, the OpenSSL development team consists of 11 people. I’ve heard that only about two of them are actively maintaining the project. If that’s the case, we need to seriously fix that problem. Can Apache take on OpenSSL? Can anyone pay their employees to help this project out?
It’s a tough one. I know that not just anybody can be contributing code to one of the most important security projects for the Web. But we all rely on this software, so let’s make sure it stays secure. Spend some of your extra cycles taking a look at their bugs, and perhaps peer-reviewing the code.