How the Skyscrapers are dealing with HeartbleedPublished on April 11, 2014 by Frederik Denkens
By now you’ve probably heard about the “Heartbleed bug”. It’s a scary name for a scary security problem. The problem lies in one of the main software components that is used to protect many sites on the internet. Many of our customers rely on it for securing their applications.
As transparency is one of our core values, we wanted to let you know what we know and how we are ensuring our customers remain as safe as possible.
What is exactly the problem?
OpenSSL is a main component used for setting up secure communications over the internet using cryptography. It is best known for secure HTTP traffic between browsers and servers.
This week, April 7th, a team of experts announced they had discovered a critical software bug in the latest version. It effectively exposes the secret key that should never leave the server. With this key, anyone on the internet can use it to decrypt protected web traffic to that server. This would allow them to steal your password and other sensitive information, effectively giving them full control.
Although it was just discovered, the bug has been around for more than two years. This means we need to carefully review what the potential impact could be.
That’s the short summary of the problem. Head to the Heartbleed website for a more detailed and technical explanation.
How did we react?
Shortly after the announcement, we updated all of the systems we manage, including those of our customers, to a safe version of the OpenSSL library.
We’ve made an inventory of potential systems, and the secret keys that may have been at risk. The following days, we will be replacing those keys with newly generated ones. Other assets (certificates, SSH keypairs, etc) depending on those keys, will also be replaced.
What does this mean for our managed customers?
Affected managed cloud customers of ours can rest assured. All systems have been patched and we will take all necessary further steps to ensure the integrity of their hosting platform. Over the coming days we will contact every affected customer to confirm our work and inform them of any steps they might have to take.
As always, don’t hesitate to get in touch with us should you have any other concerns or questions.
This is a major security problem all over the internet, so make sure you change your passwords at any online service you may use (Google Apps, Facebook, etc). Oh, and be more creative than ‘password123’.