Weblog

Heartbleed

10 April 2014, 09:15

Yesterday, the whole internet was talking about heartbleed, a nasty bug in OpenSSL. This bug allows an attacker to remotely steal information, including the private key being used, from the memory of your server without leaving a trace.

Users of the Hiawatha webserver can relax, you are all safe. Thanks to PolarSSL. The bug in OpenSSL was introduced in March 2012 and Hiawatha switched to PolarSSL in january 2012. So, although a bit of luck is involved, Hiawatha didn't let you down when it comes to security. Once again.

René

10 April 2014, 16:58

If you are in doubt. You can test it here [filippo.io].

Chris Wadge

11 April 2014, 14:48

Qualys updated their SSL Labs site to check for Heartbleed too (much more thorough tool): https://www.ssllabs.com/ssltest/

It was nice riding out the drama while the rest of the Internet burned, but it's still sad that it caused so much carnage in the process. Still, I have to say Hugo, you have great instincts. Keep it up.

RoestVrijStaal

13 April 2014, 00:33

In the announcement of Hiawatha 8.0 ( https://www.hiawatha-webserver.org/weblog/32 ) you mentioned that the primary reason to make Hiawatha the switch to PolarSSL is because it was more proper documented than OpenSSL.

It inspires me to predict that Heartbleed is a tip of an iceberg.
Open source projects should be documented well to give other the change to improve and/or integrate it in their software. But if that isn't there or not written well, then even code reviewing will likely be harder.

Alex

13 April 2014, 04:20

Hey Hugo, you knew about Heartbleed for a long time ;P
Anyway, I'm very grateful for the decision to switch to PolarSSL.

Thomas

14 April 2014, 21:30

The beta subdomain gives an SSL error in chrome (it says the cert is for www, not beta). You should probably check that out.