With all the noise and furor over Heartbleed, it's hard to filter through through the clamor and get to the heart of what's truly important, both in the short and in the long term. Here, then, are the five most crucial aspects of Heartbleed users and admins alike need to know about the worst news in Internet security in a long time.
1. The problem is bad, no question about it
Heartbleed is the name of a bug discovered in OpenSSL, a widely used suite for providing SSL functionality to various server OSes. The bug allows an attacker to read out portions of memory from a system affected by the bug, allowing everything from the theft of certificate keys to impersonation of users and services.
This is bad news -- real bad. It's bad enough that it's made the front page of the New York Times website; bad enough that InfoWorld's Roger Grimes says it's worse than you think; bad enough that no less an authority on security than Bruce Schneier called it "catastrophic," and "On the scale of 1 to 10, this is an 11." In all, two-thirds of the sites on the entire Internet may be affected, according to Ars Technica's educated guesswork.
2. It's not hard to find out if you've been affected
Now for some good news: it's not difficult to test servers and determine if they're vulnerable. At least three online tests are out there: one by security firm Possible.lv, one by Filippo Valsorda, and one called "Reverse Heartbleed" that tests if a client is vulnerable, not just servers.
Testing servers en masse may be a different story, though. Crypto professor and researcher Matthew Green went into detail about the bug on his site and has linked to a try-at-your-own-risk Python 2.6 script that can be used to automate testing across multiple machines.
3. Patching OpenSSL may not be enough
If you've found your machines are vulnerable, the solution is to either recompile OpenSSL with a certain option disabled or swap in a version of OpenSSL that isn't vulnerable to the bug. The method varies between platforms, but a few good tutorials have already started to appear: how to deal with the problem on either CentOS or Ubuntu, for instance. The folks at Pantheon have also talked about how they patched 60,000 Drupal and WordPress sites in a matter of hours.
But patching OpenSSL may only be the tip of the required mitigation efforts. Because Heartbleed theoretically allows the theft of certificate keys, SSL certificates themselves may either need to have their certificates regenerated or rekeyed. This isn't a trivial operation, since it means a site's SSL functionality will be unavailable while new keys are regenerated. If your SSL certificates have been generated by a hosting provider (such as GoDaddy), odds are you'll be at its mercy until the new certificates have been issued.
What's more, if a site can't perform commerce or other crucial activities with SSL out, it's effectively dead in the water while SSL is disabled. Canada's online tax filing services had to be shut down completely in the wake of Heartbleed, leaving filers out in the cold right before their tax deadlines.