open ssl unlocked

What to do with your OpenSSL system: Secure it or replace it?

by ​David Strom

Bad memories persist for the Secure Sockets Layer (SSL) exploit called Heartbleed, a vulnerability in the OpenSSL software used to extract information from your network.

With so much of the Internet utilizing OpenSSL, the announcement of the Heartbleed exploit sent shock waves. So now that some time has passed and the media frenzy has died down, somehow, the question still remains: what should you do with your OpenSSL system?

Option 1: Secure your OpenSSL system

First, OpenSSL has issued several updates¹ for its various software pieces. At a minimum, if you’re still using the software, you should act on these now.

Second, while most of the problems with OpenSSL were on the server side, at least one browser was also a problem: Chrome on Android devices. Google has issued its own update to remedy the issue.

Third, you probably should employ some kind of network scanning tool to help you root out where the potential for Heartbleed might still exist. A number of products make use of OpenSSL that you may not have thought of — low-end routers, cable modems and print servers, to name a few. This means not just doing a single scan, but continuously monitoring your traffic to ensure that a user doesn’t introduce something malicious to the network. Call it “bring your own vulnerability.”

Tenable Network Security² has several scanning products that can be used for this purpose, among other security vendors. Investigate what it will take to deploy such a product across your organization.

Option 2: Seek OpenSSL alternatives

But should you start thinking about alternatives? Think about the number of products that have built-in Web servers with remote management options. The list is seemingly endless. And herein lies the issue — each of these products has chosen some kind of SSL implementation to allow for secured browser management access. Unfortunately, these particular SSL implementations are usually not able to be changed by the user or IT department purchasing the product. Thankfully, many of them have been built on a variety of different SSL implementations.

Infoworld has reviewed four different tools³, including options from Mozilla, GnuTLS, Polar SSL and Matrix SSL. Check out their review and see if one of these tools will work for your situation, or may already be part of your current infrastructure. For example, many Linux-based products make use of the Mozilla SSL software, which didn’t have the particular vulnerability found in OpenSSL.

Considering the revelations and issues that have come to light since Heartbleed, these alternatives to OpenSSL currently seem the safer option.

Do what’s right for your business

OpenSSL touches on a lot of different places across your business. No matter if you intend to select an alternative or stay with OpenSSL, make a plan to start beefing up your network scanning and protection, and stay current on updates that address newly-found exploits and issues. As businesses continue to rapidly transform and step further into the digital world, finding the right security measures isn’t just a good thing to have, it’s an increasingly critical element of success.

David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 25 years. His work has appeared in ITworld.com, TechTarget.com, Internet.com, Network World, Infoworld, PC Week, Computerworld, Small Business Computing, cnet and news.com, eWeek, Baseline Magazine, PC World, and PC Magazine.

  1. ¹ Larry Seltzer, "OpenSSL fixes another severe vulnerability", ZDnet.com, 06 Jun 2014. Accessed 07 Nov 2016.
  2. ² Tenable.com. "Heartbleed: Tenable Network Products Provide Strategic Solutions" , Accessed 18 Nov 2016.
  3. ³ Serdar Yegulalp, "After Heartbleed: 4 OpenSSL alternatives that work", InfoWorld, 11 April 2014. Accessed 07 Nov 2016.