As you may have heard, a major security vulnerability; dubbed “Heartbleed,” was recently discovered in OpenSSL. OpenSSL enables SSL and TLS encryption, which governs HTTPS—the secure communications between your computer and the servers on the Internet. It is used by about 2/3 of the web servers in the world. This vulnerability was the result of a programming error (or bug) in several versions of OpenSSL.
We have already taken corrective action to resolve this issue and at this time we have no reason to believe any sensitive user information was accessed, however, out of an abundance of caution we recommend that all end users change their email passwords at their earliest convenience.
DETAILS
At its worst, Heartbleed allowed potential access to a private key for an SSL certificate as well as the encrypted communication itself. This basically means that any individual with the knowledge and skills required to exploit this vulnerability, had a window to grab your user names, passwords and any private information you may have accessed with practically any of your online services that utilize the affected versions of the OpenSSL toolkit.
Here is a list of some of major websites and services that have commented on the latest internet pandemic.
OTHER WEBSITES POSSIBLY AFFECTED
Google: “We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services. We regularly and proactively look for vulnerabilities like this — and encourage others to report them — so that we can fix software flaws before they are exploited.”
Dropbox: via @dropbox_support official Twitter “Quick update on #heartbleed: We’ve patched all of our user-facing services & will continue to work to make sure your stuff is always safe.”
Yahoo: via @YahooInc “Our team has fixed the #Heartbleed vulnerability across our main properties & is implementing the fix across our entire platform now.”
GoDaddy: “Since we’ve learned about the vulnerability, we’ve been updating GoDaddy services that use the affected OpenSSL version. This includes the servers we use as well as the shared hosting accounts our customers use to run their businesses. We’re also in the process of contacting our customers who use dedicated servers and providing them with the instructions they need to patch their servers and update their SSLs, if necessary.”
Canada Revenue Agency: The CRA has cut off public access to a number of electronic services on its website due to concerns over the Heartbleed Bug. The CRA told The Star’s Madhavi Acharya-Tom Yew that it will likely take until the weekend to restore service at its website.
OTHER WEBSITES POSSIBLY NOT AFFECTED
Twitter: “We were made aware of a critical vulnerability in OpenSSL (CVE-2014-0160), the security library that is widely used across the internet and at Twitter. We were able to determine that twitter.com and api.twitter.com servers were not affected by this vulnerability. We are continuing to monitor the situation,”
Canadian Bankers Association: “The online banking applications of Canadian banks have not been affected by the Heartbleed bug. Canadians can continue to bank with confidence. Banks have sophisticated security systems in place to protect customers’ personal and financial information, including encryption and other measures.”
Amazon: “With the exception of the services listed below, we have either determined that the services were unaffected or have been able to apply mitigations that do not require customer action.”
Services include: Elastic Load Balancing, Amazon EC2, Amazon CloudFront, AWS OpsWorks and AWS Elastic Beanstalk
Tumblr: “We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue. … This might be a good day to call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking, which may have been compromised by this bug.”
Paypal: “We would like to assure you that with regards to the Heartbleed bug: 1) Your PayPal account is secure, 2) Your PayPal account details were not exposed in the past and remain secure, 3) You do not need to take any additional action to safeguard your information, 4) There is no need to change your password”
Evernote: “Evernote’s service, Evernote apps, and Evernote websites including https://www.evernote.com , Evernote Market, and the Evernote App Center all use non-OpenSSL implementations of SSL/TLS to encrypt network communications. None of them are or were ever vulnerable to the OpenSSL “Heartbleed” vulnerability.”
