Heartbleed Bug (heartbleed.com)
You have probably been seeing the news about passwords, security and something called the Heartbleed Bug. Heartbleed is one of the worst security threats in recent memory for organizations that have trusted OpenSSL to protect their data. Netcraft’s recent analysis suggests that today, around 15 percent of sites—or approximately a half million private keys—are exposed to the vulnerability.
On April 7, 2014, the OpenSSL organization issued a security advisory (CVE-2014-0160), which described a vulnerability in the Open Secure Socket Layer (SSL)/ Transport Layer Security (TLS) implementation that could allow hostile actors to expose sensitive data (aka Heartbleed). OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the TLS/DTLS heartbeat functionality (RFC6520). An attack targeting this vulnerability may expose:
- Primary key material (secret keys)
- Secondary key material (user names and passwords used by vulnerable services)
- Protected content (sensitive data used by vulnerable services)
- Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)
What is the vulnerability?
With the vulnerability, attackers can obtain sensitive information from servers running certain versions of OpenSSL. Examples of sensitive information include private encryption keys for SSL certificates, usernames/passwords, SSH private keys on those servers and more. Attackers which obtain the keys to your SSL certificates can then set up a man-in-the-middle attack between you and your customers and obtain secure information, such as credit card numbers and authentication credentials.
What this means to you, our clients?
We have been checking in with your hosting providers to make sure your site is secure.
- Hostgator: http://blog.hostgator.com/2014/04/10/heartbleed-bug/
- Media Temple: http://status.mediatemple.net/incidents/851y3gd167d8
- Pantheon: https://www.getpantheon.com/heartbleed-fix
And checking in with other related services you might be using with your website:
- GoDaddy: http://support.godaddy.com/godaddy/openssl-and-heartbleed-vulnerabilities/
- Drupal: https://drupal.org/news/2014-04-08-security-update
- WordPress: http://wordpress.org/support/topic/heartbleed-bug-wordpress
- Amazon Web Services: https://aws.amazon.com/security/security-bulletins/aws-services-updated-to-address-openssl-vulnerability/
You can check which other sites you log into and if they are fixed yet: http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/
What you need to do:
Update your passwords! Really try NOT to use simple words as your password (for example “password” or “gobears”). Read this list of the top worst / most used passwords (and avoid them!) https://xato.net/passwords/more-top-worst-passwords
Use this site to help decide where you should be changing your passwords http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
Read More:
http://www.wordfence.com/blog/2014/04/what-wordpress-site-owners-need-to-do-about-the-heartbleed-vulnerability/
http://www.forbes.com/sites/jameslyne/2014/04/10/avoiding-heartbleed-hype-what-to-do-to-stay-safe/
http://www.cnet.com/news/heartbleed-bug-what-you-need-to-know-faq/
http://www.businessinsider.com.au/how-to-create-strong-password-heartbleed-2014-4