Heartbleed is the nickname for a critical vulnerability discovered in some versions of OpenSSL, one of the most popular SSL libraries used in a number of open source products.
The heartbleed.com website has been setup to provide more information about this bug and its affects.
If you are concerned about whether you, or a site you use is affected, there are a number of 3rd party sites that are offering testing services including: https://filippo.io/Heartbleed.
- Our website and hosting services were unaffected by this vulnerability.
- OpenSSL version 1.0.1 through 1.0.1f with the heartbeat extension enabled are affected.
- OpenSSL version 1.0.1g addresses the vulnerability. Versions of OpenSSL prior to 1.0.1 were unaffected.
- SSL/TLS is not broken.
Q. How does this affect Edikon customers?
A. While Edikon was unaffected by the Heartbleed vulnerability, we are, as a precaution, suggesting Edikon customers change their account passwords as it is not uncommon for people to use the same password with multiple service providers.
Q. How did Edikon avoid being vulnerable to this bug?
A. Edikon takes security serious and always makes every effort to keep our systems patched and up-to-date. In this particular case, Edikon was unaffected because our systems either didn’t use OpenSSL at all or, in a few cases, do use OpenSSL but were using a version unaffected by the vulnerability.
Q. Does this impact my Edikon hosting account?
A. No, our hosting service was unaffected by the Heartbleed vulnerability.
Q. Does this impact my SSL Certificate?
A. The answer here is a bit more complicated. If you have a SSL certificate purchased through Edikon and use it on hosted services provided by Edikon, then you are unaffected.
Q. I used my a SSL Certificate purchased at Edikon with another service or on my own servers. Am I affected?
A. That depends on the third party service provider. If that service was affected by the Heartbleed bug, then you should be concerned. Hopefully, the service has been patched already but even then, as a precaution, you should consider re-issuing our SSL Certificate, installing it, and then revoking the old one. Instructions for that are below for Symantec and Comodo brands.
Q. What is the difference between OpenSSL and an SSL Certificate? Why is only one affected by this bug?
A. OpenSSL is an open source library that implements the SSL protocol. An SSL Certificate is, essentially, the digital lock used by SSL to secure internet communications. It contains, amongst other things, the identity of the certificate’s owner and some indication of who verified the certificate’s creation (the Certificate Authority or CA). The Heartbleed vulnerability affected websites or systems that used the OpenSSL library not the certificates themselves.
Q. If the certificates were not affected, why are hosting companies suggesting they be reissued?
A. Security researchers discovered that the Heartbleed vulnerability made it possible to recover both the public and private keys that are used to create the SSL Certificate. Even after the OpenSSL vulnerability was patched, the private key could be used to decrypt future messages; revoking and reissuing the SSL certificates makes that impossible.