OpenSSL_Random_Psuedo_Bytes: Is it Affected By Heartbleed?

Question

I understand PHP's built in random functions (rand(), mt_rand()) are not very safe, so I started using OpenSSL_Random_Psuedo_Bytes. After reading the news, I noticed the HeartBleed bug, and how its caused by something OpenSSL.

Is it still safe to use this with Heartbleed around? Sorry that this kinda a stupid question.

Its the only function I'm using; I'm not using any other OpenSSl function.

Answer 1

If you have:

• updated to the newest patched version of OpenSSL.
• have changed your keys for your certificates.
• have changed all passwords or forced users to change passwords.

Then you should no longer be affected by heartbleed.

If you are unupgraded you are still vulnerable to heartbleed, then no matter what you use or pass along the internet can be caught and exposed.

If this is the only thing your using OpenSSL for though, you should be fine. All it is doing is creating a cryptographically unique string unlike rand() which can create infinite duplicates over time.