Jason Soroko explained, " It is highly likely that this event will lead to spoof emails claiming to come from your organization, directing your clients to fake websites in order to harvest credentials. Help educate your clients in your communication by encouraging them to physically type in the URL. At a minimum, do not hide the URL, which is what a phish email will look like."
What's the reasonable response?
Depends on the size of the organization and the size of your traffic. Large, heavily trafficked sites are already updated(or should be). You may fall into that category. Use this checklist to confirm and review the actions of the team.
Smaller sites may take longer to assess and act. Some sites rely on third parties and organizations to maintain their sites. It is important that they understand and follow the five steps outlined above. Based on workload and the time to get the certs revoked and reissued, it may be a few days or weeks.
Keep in mind that in all cases, it is important to review partners and interconnected systems.
Individual actions: for us and those we serve
1. Check to see if a site is vulnerable
While this is widely reported as potentially impacting two-thirds of Internet-facing servers, some sites do not rely on or use openSSL. Those sites may not be vulnerable. The majority of sites, however, do use openSSL and either need to patch it or they already did.
One way to find out is to run a test using a website or browser plugin (a quick search reveals 2-3 popular options). At this point, these checks look to see if the site uses -- and patched -- open SSL, but not necessarily if the certificate was reissued.
I chose not to share the links because in some cases, their use could be deemed illegal (read here). We'll need to explore this more in the near future. In the meantime, an alternative for checking large/popular sites is to check one of the public lists of updated websites maintained by several tech sites.
2. Check to see if the site certificate is updated
The complete fix requires revocation and re-issue of server certificates. If a site passes the check for updating the patch, it is still importance to check for a currently re-issued cert (after April 7, 2014).
Soroko points out, "A browser user is only a button click or two away from SSL cert information, but looking at the certificate date does not guarantee safety because a user would not know if the correct patches have been applied. It is more important to rely on certificate revocation and use the publicly available vulnerability checks. (eg. https://www.ssllabs.com/ssltest/analyze.html?d=yahoo.com&hideResults=on)"
Sign up for CIO Asia eNewsletters.