Website and server administrators will have to spend considerable time, effort, and money to mitigate all the security risks associated with Heartbleed, one of the most severe vulnerabilities to endanger encrypted SSL communications in recent years.
The flaw, which was publicly revealed Monday, is not the result of a cryptographic weakness in the widely used TLS (Transport Layer Security) or SSL (Secure Sockets Layer) communication protocols, but stems from a rather mundane programming error in a popular SSL/TLS library called OpenSSL that's used by various operating systems, Web server software, browsers, mobile applications, and even hardware appliances and embedded systems.
Attackers can exploit the vulnerability to force servers that use OpenSSL versions 1.0.1 through 1.0.1f to expose information from their private memory space. That information can include confidential data like passwords, TLS session keys and long-term server private keys that allow decrypting past and future SSL traffic captured from the server.
At first glance, dealing with this problem appears to be easy: update OpenSSL to the patched versions that should now be available for most operating systems and it's done. However, taking into consideration the possibility that the flaw might have been exploited by attackers by the time a particular server was patched and that its secret TLS keys might have been compromised, things are suddenly more complicated.
The first thing website owners should do is determine who is responsible for maintaining the OpenSSL software on the servers that host their sites.
"If it is a dedicated server, it is your responsibility," researchers from Web security firm Sucuri said in a blog post. "If you are on a shared hosting platform, contact your hosting provider to remind them to update their servers."
Once the OpenSSL installation is patched on the server and attacks are no longer possible, it's time to obtain a new SSL certificate and revoke the old one to ensure that any private key information attackers might have obtained though the flaw won't allow them to decrypt traffic in the future.