Should I take any action on Heartbleed?

14

As a developer, do I have to take any action on Heartbleed ? Being a problem in OpenSSL, I believe it is more of the scope of webmasters, server administrators, etc. But I'm not sure if it's just that (updating OpenSSL and swapping all the certificates and passwords) or if there's any more specific action to take, or some detail we'd have to pay attention to.

Contextualizing, for those who are not aware of the problem: a bug was recently identified in OpenSSL that allowed the attacker to access arbitrary memory regions on the server, all without the need for authentication and without leaving a trace. Certificates, private keys, passwords, personal data, nothing would be safe. It is being described as " the worst security flaw in Internet history ", " on a scale of 1 to 10, this is an 11 ", etc. In the security.SE site, the heartbleed tag, created yesterday (2014-04-08), already has almost 50 questions

asked by anonymous 10.04.2014 / 02:03

2 answers

3

After correcting the bug and revoking compromised certificates I would require a mandatory password exchange for all users on the first login. In this last part of the password change comes the work of the developer.

    
12.04.2014 / 09:02
2
The only action required is to test your application (s) with the patched version of the OpenSSL library to ensure they work, so that webmasters and server administrators have no problems updating the library.

    
11.04.2014 / 19:19