The risk of Heartbleed client-side attacks and recommendations for end users is focused at the fourth briefing on the bug from the SANS Institute's Internet Storm Centre (ISC).
SANS is the most trusted and by far the largest source for information security training and security certification in the world. A range of individuals from auditors and network administrators, to chief information security officers are sharing the lessons they learn and are jointly finding solutions to the challenges they face. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.
"A lot of the effort initially has been on servers, and servers are certainly at the most risk — not just web servers, but mail servers, and all of that good stuff as well. Everything that uses OpenSSL with an affected version is vulnerable, whether it's a client, whether it's a server — and of course as an end user, you're mostly concerned about the client part," said SANS presenter and ISC chief technology officer Johannes Ullrich.
Clients are indeed vulnerable, said Ullrich, but not the most popular ones. At the operating system level, Apple's OS X uses OpenSSL version 0.9.8, not the Heartbleed-vulnerable version 1.0.1, and Windows doesn't use OpenSSL at all — although there can be a risk from Windows application that have been statically compiled against OpenSSL libraries.
"It's unlikely that a normal, average home windows user has OpenSSL on their system," Ullrich said. "You're not going to run a web server on your home Windows machine." And Android devices are the main client-side risk, because it's the only major operating system that uses OpenSSL widely.
"The first message [for home and family users] is 'Do not patch.' This sounds counter-intuitive, and yes there may be software that people have installed that does use OpenSSL," he said. But for home users who've seen Heartbleed scare stories in the mainstream media, being caught by scams is the greater risk.
The second message is that, yes, changing passwords to online services is "probably a good idea", Ullrich said. "Even if if didn't get leaked, it's probably not going to break anything." And, because changing so many passwords is a pain, get a password manager.
"If you still have to remember all your passwords, and if you are able to do so, your passwords are too weak," he said.