Admins: why not review config standards as you fix Heartbleed?
As you have to update your SSL anyway, why not make sure your configuration is up to modern standards?
There has been plenty of noise about Heartbleed, so if you’re an admin, you already know what to do.
1. Find everything you have using vulnerable versions of OpenSSL
2. Update to the latest OpenSSL version
3. Create new private keys and SSL certificates as the old ones may have leaked
4. Revoke old certificates
But since you have to touch your server configuration and create new SSL certificates, we would recommend that you also go through certificate generation settings and server configuration. Heartbleed is not the only problem in SSL/TLS implementations, a poorly chosen protocol or weak cipher can be just as dangerous as the Heartbleed bug.
As recommended reading we would suggest: OWASP Transport Layer Protection Cheat Sheet
Bonus points opportunity!
5. Implement Perfect Forward Secrecy (PFS). It’s the “Prefer Ephemeral Key Exchanges” rule in the OWASP cheat sheet.
See this EFF post for details: Why the Web Needs Perfect Forward Secrecy More Than Ever
Edited to add:
And one more thing!
6. Do not rely only on transport layer security. If your data is critical, use additional protection in your implementation.
Two factor authentication. PROVIDE IT. Please.
Added note clarifying that private key of course needs to be changed and old certs revoked. Thanks @oherrala.
On 09/04/14 At 09:39 AM
Incoming search terms