Heartbleed bug

Phil Herring

Alien
Mar 25, 1997
4,924
- - Bainbridge Island
I had someone ask me about this today so I figured you all should know where we stand on it.

As soon as this started circulating in geek circles, before it hit the headlines, we examined our network and found that only one server was susceptible to the HeartBleed bug.

That server stores no user information of any kind: no usernames, no email addresses, no passwords (we haven't stored any credit card data on any of our servers for several years now).

Even though that server contained no data to steal, it was immediately patched, a new security certificate installed, and the old certificate revoked. Admin passwords have been changed.

Bottom line: whatever the NSA has in their files about you, they didn't get it here. :)
 
May 17, 2004
6,153
Beneteau Oceanis 37 Havre de Grace
Thanks to Phil and the team for, as expected, the great responsiveness and customer focus.
 
Sep 20, 2006
2,953
Hunter 33 Georgian Bay, Ontario, Canada
Canada Revenue Agency is still "offline" which means we can't e-file our tax returns, but still have till April 30.
 
Sep 25, 2008
1,096
CS 30 Toronto
Not against opensouce but a paid cert is about $240 with a $250k guarantee

An OpenSSL is free but issue like this make you think twice.
 
May 17, 2004
6,153
Beneteau Oceanis 37 Havre de Grace
Not against opensouce but a paid cert is about $240 with a $250k guarantee An OpenSSL is free but issue like this make you think twice.
These are two different things. OpenSSL is a set of software that lets servers generate and use certificates. What sites have to pay for is to get their certificates (generated by OpenSSL or other tools) signed by a trusted agent so users know the site is what it claims to be. The better comparison would be between OpenSSL and other ssl libraries like what's built into Windows servers.