heartbleed

By now security and Web experts all over the world have gone berserk over a new – and exceedingly terrifying – vulnerability in the latest versions of OpenSSL called Heartbleed. Since the Joomla! CMS is in use by some of the world’s largest companies for their websites, and since OpenSSL is in use by many, many LAMP architectures (not only by Linux, but also by Apache), and since LAMP is the platform Joomla mostly runs on, we thought we’d give you a quick rundown on what the Heartbleed vulnerability means, whether you are affected by it, and what you can do to fix it.

Firstly, though, let’s give the good news first. If you are in total control over your Joomla website (especially the LAMP part), then you can easily fix Heartbleed on your website (and we’ll tell you how later on). If you are using WIMP or some other SSL implementation library (such as Microsoft’s SChannel or GnuTLS), then rejoice! for the Heartbleed vulnerability does not affect your website in the least. If you are using an older version of OpenSSL (i.e. 1.0.0 or lower), there is no corresponding vulnerability. And of course, if your website does not use SSL/TLS, then this is not an issue for it either.

Now, the bad news. OpenSSL is one of the most popular Free and Open Source (FOSS) SSL/TLS implementation libraries on the world, and Heartbleed affects all OpenSSL 1.0.1 releases until 1.0.1g (which was when it was patched and released on 7th April 2014). Since 1.0.1 came out in 2012, this means that this vulnerability has been around for about 2 years. So, even if your Joomla-powered website is not affected, you probably are. A worst-case scenario shows that about 66% (or 2/3) of the Web could be affected; a more realistic estimate is about 17%-18%, which is still significant (especially if it’s the right – or in this case wrong – 17%-18%).

So what is the Heartbleed (CVE-2014-0160) bug? In essence, it is an implementation bug (not inherent in the actual protocol) involving TLS (more specifically, the TLS heartbeat extension as specified in RFC6520). Some developer of OpenSSL back in 2012 missed a bounds check, which led to an attacker being able to read up to 64kb of process memory on either the implementing server, or a connected client (albeit to an ‘evil’ server).

The problem is that 64KB of RAM is the limit for a single Heartbleed attack. Attackers can spawn any number of attacks, thus reading any arbitrary amount of RAM they want to read that has been allocated to the process. And on a webserver, that includes the most critical component of SSL, the server’s secret/private key used to generate the SSL certificates. That key has to be in RAM, because that’s what is used to decrypt the SSL/TLS-encrypted data. While it can also uncover other bits of data (e.g. usernames, passwords, financial information), that’s not as critical as the fact that it can effortlessly conduct man-in-the-middle attacks and even impersonate the webserver. Imagine the ramifications for major banks and cloud storage providers, for instance.

So, if your website is affected, what can you do about it? For your Joomla-powered website, check and make sure that all of the OpenSSL libraries you’re using (OS and Web server, but possibly also your Joomla extensions) have been updated to the latest version (1.0.1g) or have been patched (many Linux distributions are patching 1.0.1f, and others are backporting the patch all the way back to 1.0.1). After patching or installing the latest version, restart your server (probably best to do a cold boot if you can). If your website is a hosted one, your options are more limited; you will have to bug your webhost to upgrade their systems – but most responsible webhosts should be doing so within the week anyway.

You then need to revoke your existing certificates and create new private keys and fresh certificates (see if your certificate vendor will give you a discount or even make it free). Use a checker like https://lastpass.com/heartbleed/ or https://www.ssllabs.com/ssltest/index.html to verify that your server’s security is no longer compromised. And most importantly, tell your users that you have already fixed the Heartbleed problem, so they should reset their passwords immediately.

This is quite possibly the worst-case scenario for Internet security since the inception of Internet security. It definitely blows the Snowden disclosures out of the water in terms of its impact – it’s a truly global issue and affects everybody.

Cookies make it easier for us to provide you with our services. With the usage of our services you permit us to use cookies.
More information Ok Decline