<<<
NEWS FROM THE LAB - Wednesday, April 9, 2014
>>>
 

 
Admins: why not review config standards as you fix Heartbleed? Posted by Jarno @ 09:39 GMT

As you have to update your SSL anyway, why not make sure your configuration is up to modern standards?

There has been plenty of noise about Heartbleed, so if you're an admin, you already know what to do.

1. Find everything you have using vulnerable versions of OpenSSL
2. Update to the latest OpenSSL version
3. Create new private keys and SSL certificates as the old ones may have leaked
4. Revoke old certificates

But since you have to touch your server configuration and create new SSL certificates, we would recommend that you also go through certificate generation settings and server configuration. Heartbleed is not the only problem in SSL/TLS implementations, a poorly chosen protocol or weak cipher can be just as dangerous as the Heartbleed bug.

As recommended reading we would suggest: OWASP Transport Layer Protection Cheat Sheet

Bonus points opportunity!

5. Implement Perfect Forward Secrecy (PFS). It's the "Prefer Ephemeral Key Exchanges" rule in the OWASP cheat sheet.

See this EFF post for details: Why the Web Needs Perfect Forward Secrecy More Than Ever

Edited to add:

And one more thing!

6. Do not rely only on transport layer security. If your data is critical, use additional protection in your implementation.

Example: Younited. See the support question: How do I turn on advanced login authentication?

younited's 2FA

Two factor authentication. PROVIDE IT. Please.

Update:

Added note clarifying that private key of course needs to be changed and old certs revoked. Thanks @oherrala.