While the release and subsequent industry-wide and justifiable freak-out over the Heartbleed vulnerability is just beginning to settle down, there are some longer term implications that many companies are just now getting their arms around. During the frenzy of information during this crisis, the one positive thing that the Heartbleed bug brought out is how many webservers are running old and obsolete code. Following the publishing of the vulnerability and the ensuing media overload of coverage on it, everyone was told to scan their own websites as well as those run by vendors and business associates to see if they were vulnerable.
Most companies found out that they didn’t have the bug. Windows IIS servers are mostly immune to it as they don’t rely on the OpenSSL libraries that are the heart, no pun intended, of the Heartbleed issue. And ironically, many Unix and Linux-based webservers run older implementations of OpenSSL that are also not vulnerable to Heartbleed. However, what has come out is that many servers have a lot of issues to do with SSL unrelated to this latest vulnerability. One of the biggest ones is the use of older SSL protocols that have long been obsolete and shown to be exploitable.
One of the most common vulnerabilities identified in websites is the support for SSL 2.0. SSL 2.0 was developed in 1995, almost 20 years ago; early in the history of the commercial World-Wide Web. It was developed by Netscape for one of their first browsers. It was quickly determined to be insecure and replaced by SSL 3.0 and also TLS 1.x. Many websites continued to support these standards in order to be backwardly compatible with older browser software, and in fact most web server installations enable SSL 2.0 support by default, including IIS. However, the browsers that only use SSL 2.0 are mostly gone. To give you an idea of how obsolete these browsers are, SSL 3 support was introduced with Netscape 2.x and Explorer 3.x. Any other browsers newer than those, including Firefox, Chrome, Safari and later versions of Internet Explorer would have come out with only SSL 3 or TLS which is a newer more secure standard.
So unless your customers are still using circa-1995 browser technology, you are safe in turning off these older protocols on your web servers. It is also recommended that you disable TLS 1.0, as it is an early, vulnerable version of TLS. On Windows ISS servers, it’s fairly straightforward and can be done by following this article:
http://support.microsoft.com/kb/187498
For Unix and Linux OpenSSL or other implementations, consult your distribution’s website. Suffice it to safe that there is a lot more work to be done on web server security beyond Heartbleed. Disabling SSL 2 support is a good first step.
