Heartbleed Open SSL Update
Recently you may have heard about the vulnerability discovered in the OpenSSL library dubbed Heartbleed. This vulernability impacted servers and services using versions 1.0.1 - 1.0.1.f potentially allowing an attacker to intercept encrypted traffic. The impacted code had been in the wild for approxmiately 2 years. There is significantly more information available at heartbleed.com if you are interested in more of the technical details and implications. The more challenging aspect to this particular vulnerability is that patching the bug does not completely mitigate the possibility of data exposure. If a site had been attacked in the past and the same SSL certificate continued to be used after the fix was put in place, the attacker could potentially continue to intercept data transmitted over SSL. As such, updating the server is not enough to mitigate the potential issue but an SSL certificate would need to be replaced with a different public/private key pair.
We take issues like this very seriously at Triple I. To mitigate the potential impact from this widespread bug we have:
- kept our servers patched with the latest versions of libraries available for their operating systems. The patch for OpenSSL was applied the day it was released.
- clients utilizing SSL certificates that may have been compromised have been notified and their SSL certificates re-issued. This means that in the chance that one of the certificates had been compromised, the attacker would be unable to continue to decrypt information being transmitted with the old SSL certificate.
We have no indication that any of our clients were targeted or that any data was compromised during this period of time. This has been a wide-spread issue so it is always a good time to reminde everyone to update their passwords on a regular basis.