With recent activity surrounding OpenSSL / LibreSSL / BoringSSL and the ongoing debate into the feasibility of open source quality control, it may be worth sharing a couple of quick tips to help.
Changing passwords on systems affected by heartbleed isn't going to fix the problem - intruders can still get in and insert themselves in between you and the destination. Once the vendor has resolved the issue with the OpenSSL version in use on their web server or router, its better to ensure a few settings (where available) are enabled in your browser.
I had a look at Chrome, Aviator and IE and they all have these settings, but as I've stopped using other browsers I can't answer for the likes of Firefox or Safari - I'm sure they must have similar options by now.
I did ask BT if their devices were susceptible to Heartbleed but got no response - I will assume that the answer was "yes" and there's no documentation indicating whether an update has been applied to the closed system. BT tried to tell people that even though their devices were vulnerable it wouldn't matter because the intruder would have to be able to access your network to take advantage of the problem. Omitting that their devices are wifi enabled routers with guest networks for BT FON.
A lot of admins panicked in the days following the Heartbleed reports and updated their systems with the faulty version so it pays to be a bit more careful as the end user. Don't assume there's a warm blanket encasing your journey online and take responsibility for yourself.
Changing passwords on systems affected by heartbleed isn't going to fix the problem - intruders can still get in and insert themselves in between you and the destination. Once the vendor has resolved the issue with the OpenSSL version in use on their web server or router, its better to ensure a few settings (where available) are enabled in your browser.
I had a look at Chrome, Aviator and IE and they all have these settings, but as I've stopped using other browsers I can't answer for the likes of Firefox or Safari - I'm sure they must have similar options by now.
- In the HTTPS section of settings there will be a check box worded something like "Check for certificate revocation". Ensure this option is enabled / checked as it will ensure that once the vendor has updated OpenSSL they will get new SSL certificates and revoke the previous ones. This option ensures no-one can use the old certificates to impersonate.
- Enable SSL scanning in your security suite - Usually vendors tuck the setting away somewhere in advanced settings, but your protected traffic should also be liable to the same scans as your normal web traffic.
- Ensure that use of obsolete secure layer protocols are rejected - A lot of home & personal security suites should allow you to do this easily and it will be worded something like "Block encrypted communications using obsolete SSL v2 protocol".
- If at all possible, force use of TLS 1.2 - this won't be possible everywhere as not all vendors and services have upgraded. Avoid use of TLS v1.0 if possible. SSL v1 was created by Netscape 1995 so don't expect it to be so helpful 20 years later. TLS v1 dates back to 1999 so be realistic about that too. TLS v1.2 was "defined" in 2008 and v1.3 is currently in draft.
- IE has an option (set to enabled by default I think) called "Warn about cert. address mismatch", make sure this is still checked. It will provide a warning if the certificate was issued a domain other than the one the client-server communication is actually happening on.
I did ask BT if their devices were susceptible to Heartbleed but got no response - I will assume that the answer was "yes" and there's no documentation indicating whether an update has been applied to the closed system. BT tried to tell people that even though their devices were vulnerable it wouldn't matter because the intruder would have to be able to access your network to take advantage of the problem. Omitting that their devices are wifi enabled routers with guest networks for BT FON.
A lot of admins panicked in the days following the Heartbleed reports and updated their systems with the faulty version so it pays to be a bit more careful as the end user. Don't assume there's a warm blanket encasing your journey online and take responsibility for yourself.
