The Heartbleed SSL vulnerability was announced on April 7, 2014. Its causes and fixes are well documented elsewhere. Unfortunately, there is no standard manner of communicating whether a site has been unaffected, compromised, or fixed. That has severe security implications for visitors who can't tell if - or when - they should be changing their password on a particular site.
This proposal is a method of informing users about a site's state. It adds an easily parseable HTTP header to responses so that clients (or sufficiently helpful user agents) may act appropriately.
Heartbleed is one specific vulnerability affecting one specific software library. It is likely that another vulnerability of similar scope and importance will be discovered in the future. By standardizing a manner of communicating status updates to users today, the risk and uncertainty of future incidents are lessened.
Although the Heartbleed header is named after this high-profile vulnerability, it is intended as a long-term mechanism for communicating future customer-affecting incidents in an automated fashion.
Some organizations may believe that admitting vulnerability reflects poorly on their security. This is not true. By some estimates, over one third of SSL-encrypted websites on the Internet were vulnerable to the Heartbleed bug. There is no blame to be avoided and no fingers to be pointed. The only responsible course of action is to notify users so that they may take actions to protect themselves, and such notifications have been well received and respected by the Internet community.
Heartbleed: status; see http://heartbleedheader.com
where status is one of:
NO
YES
FIXED: <date>
REPLACED: <date>
REKEYED: <date>
UPDATECREDS: <date> [url]
Supply the same information using standard meta tags:
<meta http-equiv="Heartbleed" content="value; see http://heartbleedheader.com">
These are only general examples. Every server is different and has its own requirements.
As root:
# cd /etc/apache2/mods-enabled
# ln -s ../mods-available/headers.load
# cd ../sites-enabled
# vi mysite.conf
...
<VirtualHost *:443>
Header add Heartbleed "REPLACED: 2014-04-08; see http://heartbleedheader.com"
</VirtualHost>
...
# service apache2 restart
As root:
# cd /etc/nginx/sites-enabled
# vi mysite.conf
server {
...
add_header Heartbleed "NO; see http://heartbleedheader.com";
...
}
These products and services are known to use Heartbleed headers: