Update on Heartbleed SSL exploit – Personal device vulnerability

When Heartbleed was announced, it was pretty clear that the issues were focused on various Cloud servers, like web servers and email servers.  Which is to say, the vulnerability is on the servers that serve your computers and devices. It didn’t seem to be a vulnerability in consumer devices and computers.  See FLASH: Heartbleed SSL vulnerability for more information.

Though this is largely true, there are some exceptions that you should be aware of. The exceptions are when your computer or device acts likes a server out to the Internet.   In these cases, if your device or computer provides encrypted connections, it’s could trip over the OpenSSL issue.

Routers provide the interface between your home network and the world-wide, wild west Internet.  The router provides the firewall between the Internet and your network, preventing connections from being made into your network from the outside (see my Security Primer for more detail).

However, you can configure your router to allow connections to be made from the Internet though to one or more computers on your home network.  You can establish a single computer to be totally open to the net, or you can selectively open ports (e.g., port 25 for email) to selected computers in your network.  The reason you might be doing this is to serve up web services or email out to the Internet.  For example, I know folks who set up a email server to serve email to their families, bypassing the need for commercial or consumer email servers like gmail or yahoo.

If you’re providing web or email services from any computer on your home network to the outside and if you’ve configured the services to use encrypted connections, then you might have this issue.  The good news here is that if you are serving these services from either Windows or MacOS, you should be OK.  it turns out that MacOS uses OpenSSL, but its an older version that doesn’t have this vulnerability (Apple is notoriously slow to update open source components, to their benefit in this case).  Windows IIS isn’t impacted either.

The only OS that is impacted are the various flavors of Linux.  The primary web server that ships with Linux is Apache and its configured by default with OpenSSL.

Also, some routers are impacted by this issue, especially if they permit management of the router from the Internet.  Again, this is typically via an encrypted connection.  If you manage your network from the outside, check with your router manufacturer.  I do know that some D-Link and Cisco routers are vulnerable.  Linksys and Apple Airport routers are safe.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: