What happened?
OpenSSL is software that protects your sensitive data as it travels back and forth over the Internet. There has been a bug recently discovered in the OpenSSL TLS Heartbeat implementation that can leak memory contents between your computer and web servers and vice versa. As such this has been named the ‘Heartbleed’ issue. The latest version of OpenSSL that was released on April 7th is no longer vulnerable to the bug, however the previous versions that have been around for up to 2 years are vulnerable. To put it bluntly this is one of the most serious issues to affect Internet security in over a decade.
In terms of scale, OpenSSL is used primarily by web servers such as Apache and Nginx which combined have a market share of over 66% for active sites on the Internet, according to the Netcraft April 2014 Web Server Survey. In addition to this OpenSSL can be used as protection for email servers, chat servers, virtual private networks, network appliances and a variety of client side software. It should be noted that not all of these are running HTTPS or vulnerable versions of OpenSSL but given the scope of the issue it would be best to assume that there is still a large proportion of services affected.
Our response
The File Sanctuary team worked tirelessly throughout the night to resolve the situation and have upgraded every system where we use OpenSSL to the latest release that no longer has the vulnerability. All keys and certificates that were at risk of compromise are in the process of being reissued (the certificate authorities are inundated with reissue requests right now, so this is taking some time). Finally, in the early hours of Wednesday our systems were rebooted to ensure all these changes have taken effect.
We take pride in the fact that we keep our customers and their data safe and secure. We made sure that we acted immediately on all available information to keep this promise to you. As such we are confident that all of your data is safe and that we have done everything in our power to keep it that way for you. At this point we would recommend that you follow the steps below, because you need to make sure that you are safe everywhere on the Internet, not just with File Sanctuary.
Am I affected?
There is no evidence to suggest that File Sanctuary’s systems were compromised at any point as a result of this issue. That said, any data captured by an attacker due to this particular vulnerability would be undetectable. As a result, the safest response is to assume that you have been compromised and take necessary steps. It is important at this point to remember that this is an Internet-wide issue and so you will need to take steps to protect all of your data across every service you use on the Internet.
What should I do?
We are in the process of revoking and reissuing any SSL certificate provided by us, however if you use SSL encryption on your site that is not provided by us you should have your certificates reissued by your supplier, and you should replace your existing certificates with the new ones.
Global Internet security experts are advising that all Internet users should be changing all their passwords at this time and we fully support this recommendation. We understand that safety is paramount and as such, in addition to changing your passwords, we would like to take the opportunity to remind you to use Two Factor Authentication wherever possible (here’s how to protect your customer portal account). In this circumstance a little paranoia is actually very healthy.
We will be monitoring the situation and as always, we work above and beyond to keep you and your data safe and secure. Any updates will be posted here on our blog and on Twitter and Facebook. If you do have any questions or fears about this vulnerability please feel free to get in touch with us and we will be happy to explain the situation and help you to get safely through this turbulent time.