From time to time a security bug or vulnerability emerges from the woodwork and sweeps quickly across the Internet. But it’s been a while since we saw much on the scale of Heartbleed , a newly-discovered vulnerability that has created a stir in the blogosphere and in the news.
Secure Socket Layer (SSL) and Transport Layer Security (TLS) are procedures for encrypting information that flows across the Web. “OpenSSL” is free software used widely across the Internet to implement SSL and TLS. This past Monday, word began to spread of a bug in OpenSSL. The bug could potentially allow an attacker to discover the SSL encryption keys used to secure usernames, passwords and other traffic on unpatched servers accessed via the Internet. As a result, the Heartbleed bug could effectively allow an attacker to silently eavesdrop on communications between Internet users and servers they thought, or hoped, were secure.
What does this all mean for users of TekSavvy services? TekSavvy doesn’t use the OpenSSL implementation of TLS in its corporate websites. As a result, Heartbleed has not compromised any of the security of transactions performed in MyAccount or orders placed on www.teksavvy.com. As for our Linux web hosting service, it was quickly upgraded to v1.0.1g, which is not vulnerable to the Heartbleed bug.
How do consumers know they are protected? As always, be skeptical, and be careful. But password management company LastPass has also published a tool to check whether a website is vulnerable to the Heartbleed bug (https://lastpass.com/heartbleed/). Check the blogs and twitter feeds of the companies that you deal with for statements as to whether and how they were affected. And, of course, avoid re-using passwords on multiple websites, and change your passwords periodically. If nothing else, Heartbleed should remind us all of the importance of being aware and seeking transparency from each player in the chain of companies that provide the services you use.
For more technical information on Heartbleed and how to stop it follow the links below:
OpenSSL Advisory (https://www.openssl.org/news/secadv_20140407.txt)
OpenSSL Patched Source (https://www.openssl.org/source/)
CERT Vulnerability Notes (http://www.kb.cert.org/vuls/id/720951)
Heartbleed Bug (http://heartbleed.com/)
Chief Information Officer,
TekSavvy Solutions Inc.