The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, usernames and passwords.
Who found the Heartbleed Bug?
This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. Codenomicon team found heartbleed bug while improving the SafeGuard feature in Codenomicon’s Defensics security testing tools and reported this bug to the NCSC-FI for vulnerability coordination and reporting to OpenSSL team.
So what does that really mean to you?
It means, if the webservers are vulnerable to this attack, then someone can steal usernames and passwords, personal and financial details without leaving any trace of their attack.
Is this a problem within the Secure Certificates that we have purchased on your behalf – if you have requested this. No. This is implementation problem, i.e. programming mistake in the popular OpenSSL library that provides cryptographic services such as SSL/TLS to the applications and services.
Is this a problem for Aspidistra Customers?
At Aspidistra we do not store credit card numbers or any financial details on our servers. All credit card details are handled by Sage Pay server which is PCI compliant and secured. I have asked sage pay for their vulnerability on this issue and they have reassured me that “We are not affected by this particular vulnerability as we do not use a vulnerable version of the OpenSSL library.”
If you have asked Aspidistra to install an SSL on the webserver, is the Server and SSL fit for purpose. I have run the tests recommended by our SSL provider and the answer to this is Yes. Both the server and the SSL are not vulnerable to the Heartbleed attack. Running an analysis tool recommended by our SSL provider, we found that our servers with ‘SSL’s with EV’ and ‘Standard SSL’s’ are not vulnerable to the Heartbleed attack.
Further information can be viewed at http://www.heartbleed.com.