What to do about the heartbleed bug?

marco.steinhaeuser · April 10, 2014, 4:46pm

Hi everybody,

am a bit astonished that nobody wrote about the heartbleed bug discovered yesterday in OpenSSH yet. Today, we’re about to understand that the degree of possible damage is tremendous if we don’t do anything against it.

So I’m starting this thread for collecting ideas what would you, as a shop owner or admin, would have to do to keep your application and your customer data save.

Two things came instantly to my mind:
[ol]
[li]Request or check if your hosting provider installed the bug fix for it (for Debian machines, an update came today). AFAIK, one should be able to check it with $ ssh(d) -V in the terminal.[/li][li]Ask your clients to change their password! This is important as you don’t know if an attacker already started an exploit. Maybe you can bundle this request with a nice marketing campaign and a voucher.[/li][/ol]

Other ideas?

marco.steinhaeuser · April 15, 2014, 3:44pm

Nobody wants to talk with me about this topic? Honestly, this topic is serious enough, here you go:

Hope this is helpful for you guys

ChristophH · April 15, 2014, 6:50pm

ProfiHost fixed it last monday without telling anyone.
(Afaik)
We are changing the ssl certificat just to be sure.
I am Not going to inform our Customers.

marco.steinhaeuser · April 15, 2014, 11:50pm

Hi @ChristophH,

[QUOTE=ChristophH;143237]
I am Not going to inform our Customers.[/QUOTE]

Why not? I personally think this is important enough - everybody heard about it in the breaking news etc…

Cheers!

leofonic · April 16, 2014, 10:24am

[QUOTE=Marco Steinhaeuser;143244]everybody heard about it in the breaking news etc…[/QUOTE]
Nobody likes being told to change passwords. This bug is serious, but at the same time it is rather vague, passwords may or may not have been stolen from about any site. I think people are fed up with this kind of news, just like the BSI warning a few days ago, with this useless test site to check your e-mail adress and get some all-purpose information in return.
As people have already been informed about this bug through the news, a separate warning by a shop owner could make it look like this specific shop had specific security problems (like adobe had for example).

leofonic · April 16, 2014, 4:33pm

Just got this from envato (teaser and link was in Newsletter): http://notes.envato.com/general/envato-response-to-the-heartbleed-ssl-vulnerability/
Very well done imho, maybe someone can use this as a suggestion.

sahartech · December 12, 2015, 2:34am

Why not? I personally think this is important enough - everybody heard about it in the breaking news etc…