ruby-on-railsopensslheartbleed-bug

How does Heartbleed affect Ruby on Rails?


Do Rails developers need to make any special changes or considerations based on the OpenSSL Heartbleed vulnerability?

Do any of the core Rails libraries rely on the affected OpenSSL versions?


Solution

  • As far as I understand it, no. Rails itself doesn't depend on openssl. Instead it is based on the machine that the rails app is on. Windows and Mac OSX are probably unaffected as they don't by default have openssl. Many forms of linux do however use the libssl and openssl software. What does this mean exactly?

    If you're worried about your own personal computer you're unlikely to be vulnerable if you use windows or mac and chrome. (I'm not sure about firefox or IE).

    If you're worried about your app that is on a server somewhere then you need to make sure that the server doesn't use openssl yourself by checking the system libraries. (or check that the version is new/you recompile openssl using the -DOPENSSL_NO_HEARTBEATS flag.)

    If you can't check the system (e.g. use remote hosting) you can check the ssl certificate of the website and make sure it was issued past 7 April 2014.

    If you really don't know about someone else's website and want to check you can use this vulnerability checking tool

    Also as good measure, if you re-use passwords on any sites or think you've been using a password for a while that you may have once put into an insecure site, you should change out your passwords to a new set of them. Updating passwords regularly is good practice anyway.