As you might have read or heard in the media, a serious vulnerability has been discovered in the OpenSSL library used by many servers on the internet. As part of our service to our customers, I am writing to explain what this means, and what impact it might have on your business.
Before I explain a little bit more about the Heartbleed bug, let me reassure you that no servers administered by GI Computer Innovations are affected by this bug. This means (for those of our clients whose websites use SSL certificates), that none of your company data on those servers, nor any of the encrypted connections to those servers were ever at risk from this bug.
Why is this bug such a big deal?
Each day, millions of connections are made to internet server using the SSL protocol. SSL is an acronym for “Secure Sockets Layer’, and it is a system that (among other things), ensures that data transferred between a server and a client is safe from being intercepted and ‘snooped’ by a third party. In tomorrow’s blog post to the GICI website I will explain in more detail how SSL works, and the reasons that you might want to use an SSL certificate for your website.
The Heartbleed bug is a bug in the software used by some (but not all) servers to handle SSL connections. If a server is using a vulnerable version of OpenSSL, it is possible for a hacker to intercept and read the data in the SSL connection. This is bad news in itself, but it gets worse. The bug also allows a hacker to ‘see’ into the memory on the affected server. This, in turn might allow the hacker to snoop the data in EVERY SSL connection made to that server, or to steal usernames and password from the server. That’s very bad news indeed.
How widespread is this bug?
Initial estimates are that more than 500,000 websites were vulnerable when this first came to light. Affected sites included sites such as Yahoo.com and Flickr.com. Conversely, Google.com, facebook.com, and you tube.com were among those site unaffected. Nonetheless, this is affecting a very large number of sites, and it will be a while before everyone upgrades to ‘safe’ version of OpenSSL.
What should I do?
As I mentioned above, we have checked those servers which we administrator websites on, and which use OpenSSL, and have confirmed that none of them is vulnerable. In wider terms, keep your eye on the media for updates, watch out for communications from other website that you personally use. It is quite likely that some organisations will be advising their customer to change their passwords once they have updated software in place. For more information about “The Heartbleed Bug” see http://heartbleed.com/
Finally, as your IT Support company, we at GICI are always ready to answer any questions you may have. Please contact us if you have further concerns or questions.