With news breaking on Monday, April 7th that HeartBleed causes a vulnerability in the OpenSSL cryptographic library, which is used by roughly two-thirds of all websites on the Internet, we want to update on how this bug may have impacted our Infrastructure and clarify the actions we’re taking to protect our Customers, Clients and Partners.
What is the Heartbleed Bug?
By sending a specially crafted packet to a vulnerable server running an un-patched version of OpenSSL, an attacker can get up to 64kB of the server’s working memory. This is the result of a classic implementation bug known as a Buffer over-read
There has been speculation that this vulnerability could expose server certificate private keys, making those sites vulnerable to impersonation. This would be the disaster scenario, requiring virtually every service to reissue and revoke its SSL certificates. Note that simply reissuing certificates is not enough, you must revoke them as well.
What has been done?
Unfortunately, the certificate revocation process is far from perfect and was never built for revocation at mass scale. If every site revoked its certificates, it would impose a significant burden and performance penalty on the Internet. So, we’ve spent a significant amount of time talking to our DataCenter partners in order to ensure that we can safely and successfully revoke and reissue our customers’ certificates.
While the vulnerability seems likely to put private key data at risk, to date there have been no verified reports of actual private keys being exposed. Our Partners and Us received early warning of the Heartbleed vulnerability and patched our systems 12 days ago.
We’ve spent much of the time running extensive tests to figure out what can be exposed via Heartbleed and, specifically, to understand if private SSL key data was at risk.
Heartbleed is being taken so seriously because OpenSSL is widely used, essentially no servers locally encrypt their data the way we do, and it’s been exploitable for some time; and your data is safe with us as we further extend our Infrastructure and Capabilities.
0 Comments