As a Website Owner, Should I be Concerned About the Heartbleed Bug?

The Heartbleed Bug in Open SSL has been the topic of headline news and on the minds of computer users around the globe. There is a lot of info on the web to help you navigate this security flaw, but here is what you need to know as a website owner in a nutshell:

  1. This should possibly be a concern to you if you are running an SSL Certificate on your website. Most of the time, this is due to an ecommerce website. If you don’t know what I am talking about, you probably do not have an SSL Certificate.  In that case, your website is not vulnerable and you can worry about your own personal accounts and if they have been compromised (See below).
  2. If you are running an SSL Certificate, you should call your host and ask them if they are using one of the versions of server software affected and if they have patched/upgraded.  You may need to reissue new SSL certificates, so ask your host about this!  (List below cit.

Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:

Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
CentOS 6.5, OpenSSL 1.0.1e-15
Fedora 18, OpenSSL 1.0.1e-4
OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013
NetBSD 5.0.2 (OpenSSL 1.0.1e)
OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions that are not vulnerable:

Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
SUSE Linux Enterprise Server
FreeBSD 8.4 – OpenSSL 0.9.8y 5 Feb 2013
FreeBSD 9.2 – OpenSSL 0.9.8y 5 Feb 2013
FreeBSD Ports – OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

I like to worry…. I am still worried.

If you are still concerned, go to this website and type in the address of your website and see if there are any issues.

As a consumer, should I be worried about my gmail, yahoo, youtube, etc accounts?

Some of the big names such as google were using a vulnerable version of the Open SSL software.  Google patched before the announcement was made so you do not need to change your youtube or gmail passwords, but you should refer to this list here – at the bottom you will see smily faces or frowny faces if you should change your password on particular websites like Yahoo! for example or flickr.

Read More in this Category: