The story is still unfolding
We’ve been asked for a list of the diagnostic and discovery resources we’ve been using in our work on the OpenSSL issue. So here they are:
https://www.openssl.org/news/secadv_20140407.txt
http://heartbleed.com/ (this is the most authoritative)
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
http://seclists.org/fulldisclosure/2014/Apr/90
http://vrt-blog.snort.org/2014/04/heartbleed-memory-disclosure-upgrade.html
http://blog.bro.org/2014/04/detecting-heartbleed-bug-using-bro.html
http://blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/
http://wellpepper.com/cve-2014-0160-aka-the-heartbreak-bug
http://www.garage4hackers.com/entry.php?b=2551
http://blog.erratasec.com/2014/04/using-masscan-to-scan-for-heartbleed.html
https://www.michael-p-davis.com/using-heartbleed-for-hijacking-user-sessions/
https://www.mattslifebytes.com/?p=533
http://coderinaworldofcode.blogspot.com/2014/04/my-heart-bleeds-for-openssl.html
http://serverfault.com/questions/587329/heartbleed-what-is-it-and-what-are-options-to-mitigate-it
http://theevilbit.blogspot.com/2014/04/cve-2014-0160-heartbleed.html
http://lonesysadmin.net/2014/04/09/8-practical-notes-heartbleed-cve-2014-0160/
http://blog.rubygems.org/2014/04/09/heartbleed.html
http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html
http://techalways.wordpress.com/2014/04/10/heartbleed-bug-u-were-warned/
https://isc.sans.edu/forums/diary/Patch+Now+OpenSSL+Heartbleed+Vulnerability/17921
http://www.net-security.org/secworld.php?id=16661
The full extent of heartbleed is not yet understood and the tools are still being developed and refreshed. Despite taking many hours to run properly, we’re using every one we think is of merit; and helping these tools evolve.
We note also that the Certificate Authorities have updated their lists of revoked certificates (undermining the process significantly).
Some browsers are not recognising problematic SSLs either. Users need to have that setting enabled on their browsers – we’re hoping Firefox, Chrome and Internet Explorer move fast on this.
False positives
One of the most difficult challenges is dealing with the conflicting outputs from the diagnostic tools available.
Some of the results are contradictory and some of the tools used by the security vendors seem to be not as current or thorough as the tools developed by the general community. In all cases, the tools seem to be labelled as ‘experimental’ or similar, which is something all end clients should be made aware of. There is a lot of education required in explaining the results.
Change passwords?
This is a very easy thing for the industry to recommend. But it is a very onerous thing for clients to ask their customers, the general public.
Thus far we’ve counselled against password change recommendations because we feel the threat is still not fully understood. Therefore, until we have that certainty (and the vulnerability is patched), we’re not recommending a blanket password change.
Where we feel individual cases merit a password change, we’ve contacted the clients concerned directly.