Heartbleed – what you need to know
So, anyone with their eyes on the tech blogs or the national news will no doubt be aware of a significant security vulnerability in OpenSSL which is being referred to as one of the biggest security threats the internet has ever seen.
The issue has in fact existed since December 2011, but only became public knowledge last week. The vulnerability is present on any server running the affected version of OpenSSL – which was estimated at around 20% of all servers on the internet. It allows server memory information to be requested from the server when interacting with OpenSSL. If you’re not at all techie, XKCD has the best potted explanation.
What does this mean for my website?
The bug only affects websites using OpenSSL, this could be the case if your website uses HTTPS to securely transmit information. There is currently no evidence that knowledge of the issue was maliciously exploited by anyone prior to it becoming public, however the immediate priority is to secure any web server and website that could be affected by updating OpenSSL to a secure version. Once the server is secured, all SSL and SSH encryption keys should be changed, and any user passwords updated.
What we’re doing
In response to the threat, we’ve audited all the servers we run, manage or have access to. Of four potentially affected servers, one is internal and not accessible outside of the Freshleaf office; one is not currently in use; and the other two have been swiftly patched by our hosting provider, Rackspace. The server on which we host the majority of our clients’ websites was not affected.
We also changed passwords to all services we used, once we had confirmation that they had taken the necessary steps to secure their servers.
We are continuing to audit and review the situation, and are working with any affected clients to ensure that the necessary due diligence has been undertaken.