Over the past day or two you may have been hearing about a major security vulnerability that impacted services like Yahoo!, Eventbrite, and Imgur. CVE-2014-0160, commonly called Heartbleed, is a serious OpenSSL vulnerability that would allow nefarious users to gain access to encrypted data from a server’s memory.
Green Egg Media wants to assure all of our clients that their data is secure and that we have not been impacted by this vulnerability. All of the servers that we use to store client data and host client websites are running versions of OpenSSL which are not vulnerable to a “heartbeat” attack. For our e-commerce clients that are running on FoxyCart stores, we want to assure you that your data and your customer’s data is also safe. FoxyCart announced yesterday that their services are secure and have not been breached.
It is estimated that Heartbleed may have affected as many as 66% of all web servers around the world. This number is probably too high considering that only selected versions of OpenSSL were impacted; however, the versions which were vulnerable have been in release for over two years now. While the vulnerability may have been wide-spread, unfortunately it is impossible to know whether or not any particular server was actually compromised. A cyber ciminal could get information from a vulnerable server’s memory without even leaving a trace of the request. While most affected service providers, including Yahoo!, have now fixed the problem, if you are a regular user of any affected services, we strongly recommend that you immediately change your passwords for those services, as well as any other services where you are also using that password. In general, we recommend that you never re-use passwords, but we know that many people reuse them anyway.
Since this vulnerability is so widespread, everyone who uses the internet is probably affected somehow. If you use any services that require you to sign in with a username and password, check with the service provider to make sure that they are not running a vulnerable version of OpenSSL. According to the official Heartbleed information site, the status of different versions of OpenSSL is as follows:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable