Login   Register  
PHP Classes
elePHPant
Icontem

OpenSSL Serious Security Bug: Does it Affect Your PHP sites? - PHP Classes blog

Recommend this page to a friend!
Stumble It! Stumble It! Bookmark in del.icio.us Bookmark in del.icio.us
  Blog PHP Classes blog   RSS 1.0 feed RSS 2.0 feed   Blog OpenSSL Serious Secur...   Post a comment Post a comment   See comments See comments (0)   Trackbacks (0)  
<< Previous: Hack Language is All ...>> Next: Is the Hack Language ...

Author: Manuel Lemos

Posted on:

Categories: PHP Tutorials, PHP Security

Just a few days ago it was publicly announced a serious security bug called Heartbleed that affects secure sites based on the OpenSSL library.

Read this article to learn more about this security problem, how to test if your Web server or SSH server is vulnerable, how it may affect your PHP sites, what you should do to fix the problem.




Contents

What was this Heartbleed OpenSSL Security Bug?

Does Heartbleed Affect My PHP Web site?

How can I check if My Web Server is Secure?

What Shall I Do to Fix the Problem?

Does It Affect My PHP Web Site if I just sent HTTPS Requests to Remote Servers?

Does It Affect My Server If it Has OpenSSH as SSH server?

What if I still have Doubts about my Server?


What was this Heartbleed OpenSSL Security Bug?

Heartbleed vulnerability logoThe HeartBleed security vulnerability recently announced that compromises servers based on OpenSSL. It allows exploits to eventiually steal files from servers, so this is a very serious flaw, in the sense that it may allow accessing sensitive information that may be used to invade and compromise servers.

OpenSSL is an Open Source library used to implement secure Web servers (https) in most Open Source Web servers like Apache, Nginx, etc..

Does Heartbleed Affect My PHP Web site?

If your Web server takes SSL requests (https) and it uses older versions of OpenSSL 1.0.1, yes you should be concerned and recompile or replace the Web server modules to use at least OpenSSL 1.0.1g version.

If you are using OpenSSL 1.0.0 or older revisions, you may not be vulnerable to the Heartbleed issue, but you may have other limitations.

If you are not using your Web server to take https requests, you should not be concerned with this vulnerability.

How can I check if My Web Server is Secure?

One easy way to check the SSL security issues of your Web server is to try the Qualys SSL Labs SSL Server Test online tool. This is a very useful tool developed by Ivan Ristic, whom curiously has also been a contributor of the PHP Classes site in the past.

The SSL Server Test tool not only can tell you if your Web server is vulnerable to the Heartbleed issue, but also if it has other issues like supporting insecure protocols, ciphers or SSL options.

Ideally your SSL Web server grade should look like this or at least very close.

SSL Server Test Heartbleed vulnerability

What Shall I Do to Fix the Problem?

Ideally you should update the OpenSSL 1.0.1 installation with a newer version, as well rebuild or your at least restart your Web server to use the newer OpenSSL version.

If you cannot rebuild your Web server modules by yourself or you would rather wait for your distribution vendor to provide an update, it may take a while but eventually will happen soon if your distribution is well maintained.

Does It Affect My PHP Web Site if I just sent HTTPS Requests to Remote Servers?

In general no, but if your PHP scripts are accessing a compromised server, it is possible that the server may have access to data from your PHP script. In any case, if you are not sure, updating your OpenSSL version if it is 1.0.1, should not hurt.

If you also use PHP OpenSSL support to create certificates and sign data, you should not be concerned at all.

Does It Affect My Server If it Has OpenSSH as SSH server?

No, while OpenSSH also uses OpenSSL, it seems OpenSSH does not use SSL TLS protocol, so you should not be concerned with this.

What if I still have Doubts about my Server?

You may want to post a comment to this article here. You may also ask at the Qualys Community forum.

You need to be a registered user or login to post a comment

Login Immediately with your account on:

Facebook ConnectGmail or other Google Account
Hotmail or Microsoft Windows LiveStackOverflow
GitHubYahoo


Comments:

No comments were submitted yet.


<< Previous: Hack Language is All ...>> Next: Is the Hack Language ...

  Blog PHP Classes blog   RSS 1.0 feed RSS 2.0 feed   Blog OpenSSL Serious Secur...   Post a comment Post a comment   See comments See comments (0)   Trackbacks (0)