On April 7, 2014, a team of security researchers announced the discovery of a critical vulnerability dubbed “The Heartbleed Bug
”, found in OpenSSL, a widely-used open source cryptographic software library. GeoTrust is currently investigating the OpenSSL vulnerability – which allows attackers to read the memory of the systems using vulnerable versions of OpenSSL software.
This may disclose the secret keys, which allows attackers to decrypt and eavesdrop on SSL encrypted communications and impersonate service providers. In addition, other data in memory may be disclosed including names and passwords of the users or other data stored in memory by the service. GeoTrust recommends:
- Anyone using OpenSSL 1.0.1 through 1.0.1f update to the latest fixed version of the software, or recompile OpenSSL without the heartbeat extension.
- Businesses should also replace the certificate on their web server after moving to a fixed version of OpenSSL.
- Finally, and as a best practice, businesses should also consider resetting end-user passwords that may have been visible in a compromised server memory.
- Should be aware their data could have been seen by a third party if they used a vulnerable service provider
- Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated to customers that they should change their passwords, users should do so
- Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain
1. I don’t have any of the vulnerable OpenSSL versions do I need to take any action?
No, there is no further action required.
2. Who is affected?
As this is related to the way OpenSSL handles SSL/TLS during handshake, only servers using OpenSSL libraries during the SSL handshake are affected. This does not affect any other server software.
Any customer using OpenSSL 1.0.1 through 1.0.1f (inclusive) in their web server are vulnerable unless they disabled support for the heartbeat extension when OpenSSL was compiled.
3. Are code signing certificates impacted by this vulnerability?
4. Is this a design flaw in SSL/TLS?
This is not a vulnerability with SSL/TLS or GeoTrust.
SSL/TLS is not broken, nor are the digital certificates issued by GeoTrust and it’s brands.
5. Am I impacted by the vulnerability in OpenSSL?
Test for the vulnerability at:
6. What is the remediation plan?
- Upgrade to the latest fixed version of OpenSSL.
- If this is not possible customers can recompile OpenSSL with the handshake removed from the code by compile time option
- Please consult your server administrators with regards to updating or recompiling OpenSSL.
- The latest version OpenSSL is now available here, including bug and security fixes
- Update your web server (Apache, nginx) using the latest version of OpenSSL.
- As a safety measure it is highly advisable to replace the web server certificate after the OpenSSL upgrade.
- Create a new private key & Certificate Signing Request (CSR).
NOTE: Do not reuse the existing private key & Certificate Signing Request (CSR).
- To reissue your certificate from a GeoTrust Security Center account, view the steps in SO22159
- To reissue your certificate from a GeoTrust Enterprise Security Center account, view the steps in SO21129
- To reissue your certificate via Partner Channel, view the steps in SO5989
- To reissue your certificate via Enterprise SSL, view the steps in SO5989
- After installing the reissued certificate, the previous issued certificate should be removed from the server or device. Once confirmed working, you need to revoke the previous certificate.
7. Will replacing the certificates cost anything?
Replacements are free for the lifetime of the certificate.
8. How long will it take to get the new certificate?
This depends if any certificate vetting is required. If the certificate is replaced without vetting we may be able to reissue the certificate instantly. For questions on reissuance please contact Customer Support
9. Does Heartbleed affect my other GeoTrust security deployments?
Verify if in these deployments any OpenSSL libraries have been used and which OpenSSL the server is using. If they fall into the category of above mentioned vulnerable versions there is a security risk and you need to take appropriate action to mitigate.