If you’ve ever submitted any kind of private or sensitive information to a website—including usernames, passwords, credit card numbers, social security numbers, addresses, and phone numbers—this security alert applies to you.
This week, security researchers discovered a serious vulnerability in the OpenSSL encryption software. Two-thirds of all websites use OpenSSL, as do many email, instant messaging, and virtual private network (VPN) services. These services use OpenSSL to establish an encrypted connection between them and the user (or between two or more users) to prevent the data transferred between the two from being intercepted. Usually, not all of the pages on a website that uses OpenSSL are encrypted—just the pages that require a secure connection, like those where the users input their usernames and passwords or submit their credit card information.
The vulnerability in question has been nicknamed the “Heartbleed Bug,” since it is located in the code for the “heartbeat extension,” a part of OpenSSL that controls how long a secure connection can remain open. A hacker could use this vulnerability to gain access to OpenSSL’s encryption keys, which could then be used to intercept and decode all data sent to and from the service, as well as access any existing info stored in the service’s databases. Therefore, not only could a hacker with the OpenSSL encryption keys of a website intercept any data (usernames, passwords, credit card info, etc.) you send to the site after it’s been hacked, but also access all of the data that you submitted to the site in the years before the infiltration occurred.
The first version of OpenSSL to include the “Heartbleed Bug” was released in December 2011. In addition, exploits of this vulnerability don’t leave any trace, so it’s impossible to tell if a hacker has ever used the vulnerability to intercept or steal data from a certain website.
The “Heartbleed Bug” in no way affects any of onthenetOffice’s hosted solutions, our website, or any of the systems that we use to process and store your payment information. In general, though, here is what you need to do in order to protect yourself from this vulnerability:
- Make sure that a site is secure before you send any of your sensitive data to it. You can use this app to check if a site has a secure version of OpenSSL.
- Make a list of all of the websites that you’ve ever sent sensitive data to. Change your passwords for these websites only after you’ve confirmed that they are running a secure version of OpenSSL—or, alternatively, that they never used the insecure version of OpenSSL.
- Find out if your company’s website used or is using OpenSSL versions 1.01 through 1.01f. If it is, update OpenSSL to version 1.01g immediately. Then, replace your encryption keys, and ask any users that your site has to reset their passwords.
To ask for assistance in responding to the “Heartbleed Bug” or for more information, onthenetOffice users should contact onthenetOffice 24x7x365 technical support at support@onthenetOffice.com or 1-855-668-4363.