Apr 082014

Anyone running a server with OpenSSL or OpenVPN needs to make sure they are running a secure version. It’s not enough to hope you’re safe. If you have been running an insecure version… tough luck, you are going to have to assume the worst and change your secret keys, revoking the old ones. How high the risk is cannot be judged as the leak leaves no traces.

Refer to the official sources. Unfortunately, the official OpenSSL notification is far too weak an uninformative, at the time of writing (8th April, 2014)

You will find lots of other, better sites with more information and, unfortunately, more horror scenarios. Here’s the one Google are currently putting top of the search lists

How on earth the Heartbleed.com domain happened to be available to shout out this vulnerability I do not know… I expect it to metamorphose into some shopping portal when the dust hasn’t quite settled.