Texas Creative & Heartbleed
Notice: We’ve investigated our hosted resources along with Rackspace, our hosting provider and have determined that our production hosting platform is not vulnerable to the Heartbleed bug. We’re not using the vulnerable version of OpenSSL on our production server.
In order to encrypt a website with an SSL certificate, encryption keys are generated. The most common program used to encrypt, transmit and confirm these keys is OpenSSL. The security vulnerability that was discovered is in that program, more specifically in a component of the program called Heartbeat. This bug can leak private encryption keys and other sensitive information to the attacker and is virtually untraceable. For more detailed information on heartbleed see the official website: http://heartbleed.com
Since the bug is in OpenSSL — the most popular SSL program — many websites using “https://” would have been vulnerable. The response by system administrators to patch the vulnerability has been swift since the announcement, but since the attack leaves little to no trace and it’s uncertain if the exploit has been used in the wild and for how long before the public announcement.
What should you do?
The main thing we can do as an end user is to remain diligent.
- Confirm with your online Financial institutions that they have patched OpenSSL (if they were vulnerable) before logging into their systems again.
- After you’ve confirmed that they’ve patched their systems, reset your password to something new.
- If you have a website running on https, confirm with your hosting provider that they’ve patched OpenSSL (if they were vulnerable).
This is a handy tool that can check to see if a site is vulnerable. The accuracy of these kinds of tools may vary but I like this one because it attempts the actual exploit again the server. If the site passes this it should be fine. http://filippo.io/Heartbleed
Texas Creative takes your security seriously. If you have any additional questions or concerns please contact us.