Most of you have probably already heard of the "Heartbleed Bug", an extremely serious security vulnerability announced this week that affects large swathes of the internet. Incredibly, the bug has been around since March 2012, and unfortunately it is difficult or impossible to tell if any particular site has been exploited.
Here are our recommendations for securing your sites and servers and protecting your data and your users, in order of importance:
- Assess your current vulnerability. You can check to see if your site is currently vulnerable with this tool. Note that your server may be vulnerable to attack even if you don't use or require SSL on your site.
- Ensure that your servers are running a patched version of OpenSSL (or an older version from before the bug was introduced). We can help you with this, and if you're a Singlebrook customer, chances are good that we've already taken care of this step for you.
- Install re-issued SSL certificates. Heartbleed made it possibile to steal servers' private keys, so even if your server is patched, an attacker who has your private key can still decrypt your users' data in transit. Replacing your SSL certificate protects your data in transit for the future. Re-issues of your certificate are typically free with most SSL vendors, but it will take us between 30 minutes and 2 hours to request, approve, and install each new certificate.
- Reset all user sessions, requiring that they log in to your site anew.
- Force all users to reset their passwords.
- Notify your users of the actions you've taken to protect them and their data. Be sure to mention whether your site was vulnerable and for how long. If your web server has SSL, and was using an up-to-date OpenSSL, you've probably been vulnerable for about two years (or the life of the server, whichever is shorter).
- Reset your passwords, and use a different password for each account. This is a great time to add a password manager to your toolset, like 1Password or LastPass.
We can help you with these steps. We consider steps 1 and 2 to be absolutely required. Steps 3 and 4 are very strong recommendations if your server was vulnerable to Heartbleed at any time. Steps 5, 6, and 7 are recommended, but optional.