Bluetent’s response to Heartbleed

By April 9, 2014Strategy
Bleeding heart - Heartbleed

The Heartbleed bug in the OpenSSL implementation of the SSL protocol is making waves on the Internet right now as service providers and web users scramble to understand what it means and what needs to be done about it.

At Bluetent we are no exception. Our technical operations team has already sprung into action. While we have no indication that any of our systems have been exploited by the bug, the nature of the bug makes it very hard to detect if you’ve been exploited. Here are some things we’re doing or have already done to implement a prudent and robust response to this security threat:

Patch OpenSSL on All Servers

All servers in our development and production environments have already been patched to address the exploit. If you want to know what version of OpenSSL is running on your server you can try running this at the command line:

openssl version

Because we are using RedHat with backported security patches, the output of ‘openssl version’ was incorrect. Running the following command allows us to verify that the OpenSSL exploit for Heartbleed has been patched:

rpm --queryformat '%{CHANGELOGTEXT}\n' -q openssl

Re-key All SSL Sites

Pretty much all or our Vacation Rental booking sites take credit cards over SSL, so this issue is extremely important to us. We are in the process of re-keying all of our SSL sites. This is no small task, but we made it easier with some scripting. All of our sites are rooted under /var/www and have a “certs” folder. The script we wrote generated new keys and certificate signing requests for all existing SSL vhosts without having to re-enter all of the organizational information contained in existing certificates. It also put all of the new CSRs into a neat little zip file that we can take to our SSL provider to re-issue all certificates quickly.

find /var/www/. -type f -iname “*.crt” -print0 | while IFS= read -r -d $’\0′ crtpath; do
export DIR=${crtpath%/*}
export VHOST=${DIR%/*}
export FILE=`basename $crtpath`
export KEYFILE=${FILE/\.csr/\.key}
export DOMAIN=${FILE%\.csr}
if [ ! -d $DIR/newcerts ]; then
mkdir $DIR/newcerts
openssl genrsa -out $DIR/newcerts/$DOMAIN.key 2048
openssl x509 -x509toreq -in $crtpath -out $DIR/newcerts/$FILE -signkey $DIR/newcerts/$DOMAIN.key
zip -g -j $DIR/newcerts/$FILE

Get the GIST for this script

Change Passwords

This may be one of the most time-consuming aspects of the fallout from Heartbleed. We all need to change our passwords for all services accessed securely over the internet. Not all sites and major services were affected, but it’s a good idea to change your passwords frequently and use hard passwords that you can’t remember even yourself. We use Lastpass at Bluetent to facilitate strong password storage. 1Password is a great solution for MacOS and KeePass does a great job on Windows.

More to come…

As we work with our infrastructure team on the response to Heartbleed there will be more steps to take. If you didn’t think “internet security” was an oxymoron before Heartbleed, you may now want to reconsider…

Leave a Reply