Important Heartbleed Information
Over the past week you have likely heard a great deal about the “heartbleed” bug present in versions 1.0.1 and 1.0.2 of OpenSSL. Below is a high level summary of this security vulnerability
What is SSL?
SSL is the cryptographic technology to secure information based over the Internet. For example, to encrypt a Web browsing session when you visit your banking website.
What is the security vulnerability?
The exploit permits an attacker to reveal the contents of a small amount of information present in memory within the web server’s SSL process memory space. The contents of this memory may contain username and passwords as well as cryptographic keys for recent sessions between users and website. For example, if you log into your banking website, an attacker may have been able to reveal your username and password, as well as, unencrypt the communication stream between your computer and the website while the session was active.
What may happen?
This information may provide an attacker access to your login information to a website as well as the cryptographic keys to decode what would otherwise be an encrypted communications session.
What Web services are affected?
Any OpenSSL implementation based on 1.01 and 1.02 flavors of OpenSSL. These versions were used by many major websites. Here is a list of the top 100 Internet sites and who was affected: http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/ but you should inquire specifically with any critical web service providers that you utilize as your passwords should be changed AFTER any patches are deployed.
If you have questions, or would like more information, please contact us directly at 888.773.1203.