08 Apr 2014

Heartbleed affects clients too

If you're in any kind of tech circles, then all you will have heard today and yesterday is discussion regarding Heartbleed. It's a very serious bug within the OpenSSL library. The chances are if you have a server, you're using OpenSSL somewhere or other.

Everybody with public facing servers using SSL has been rushing updating their servers to the new patched OpenSSL version. Amazon have released updates to their services, as have other major providers such as Cloudflare.

What I'm not seeing mentioned much is is the fact that clients are susceptible to this vulnerability! Don't fool yourself into thinking you're safe. If you are running web crawlers out on the open internet connecting over SSL using OpenSSL, there's no reason why somebody can't use this bug to affect you. They can extract information from your client. Your server could contain secret keys, passwords and all other things of sensitive material.

If you're running a web crawler, then make sure you patch your OpenSSL too.