Heartbleed vulnerability

As you may have heard, a major bug in some versions of the OpenSSL encryption library used by most of the Internet, including our servers, was widely publicized this week.  The primary source of authoritative information is the Heartbleed.com site.  We quickly made a preliminary assessment of our systems that largely reassured us, but needed some time to make a complete assessment and to give you definitive answers, which we can now do.

The good news:

None of our production services – Web, Mail, Groups, Shield – were operating on vulnerable versions of OpenSSL at any time, so there was no exposure there.  Your EE passwords, your message contents, your certificate keys (if you have Web service with SSL) were all secure against this attack on these systems, so there is no need to update them.

Tech detail:  We do keep the software behind these services fully updated, but the branch of the OpenSSL library they use is not the one affected by the Heartbleed vulnerability.

The less-good news:

We did have one other system that was running a vulnerable version, and it has now been updated and the vulnerability eliminated, and its SSL certs reissued with new keys.

Further info:

  • Vox.com has a good writeup that may be more user-friendly than Heartbleed.com
  • The New York Times has a good Heartbleed Q & A that may answer any remaining questions.
  • You can use this Heartbleed tester tool to check any sites you use for vulnerability before proceeding to update passwords or other sensitive information there.

The bottom line is that we at Electric Embers got rather lucky with the OpenSSL version we were using almost everywhere, so the exposure here was quite limited, and there are much bigger and therefore likelier targets on the Internet (eg. Amazon.com or your financial institution) where financial info could have been exposed.  Supposedly secure transactions across the Internet have been potentially insecure for at least the last two years, and with significantly broader potential exposure elsewhere than here at Electric Embers.  But you do need to be aware in general of the possibility of exposure due to this bug.