Marco.org

I’ve been assuming that everyone heard about this yesterday, but it’s still news to many, so it’s good to yell about it. If you’re responsible for any servers or VPSes at all, and they run any of the affected versions of OpenSSL, you need to patch them ASAP. Many Linux distributions, including the very conservative Red Hat Enterprise Linux and CentOS 6.5, are affected.

This bug is particularly severe: it allows anyone to get your private SSL key and certificate by simply making malformed TLS requests. Effectively, this completely defeats the benefits of SSL.

Test your vulnerability with Heartbleeder. It’s pretty shocking how many services, including many hosted by cloud providers that manage this for them, are still vulnerable a day after most Linux distributions had patches available — part of the problem is that this will also affect any load-balancer or other hardware that decrypts SSL for you before proxying unencrypted traffic to your webservers.

After you’ve patched, since your private key may have been compromised, you should regenerate your SSL certificate from scratch. (Don’t just use the same key and CSR.) Most SSL issuers will allow you to reissue or re-key certificates for free.

When you’re done, while you’re in your app’s SSL guts, it’s a good idea to test your configuration for best practices. (The best I’ve gotten without losing IE support is an “A-” grade.)