This piece was submitted by the new CIO of Experts Exchange, Gene Richardson.
What Is Heartbleed?
“Heartbleed” is the nickname for a vulnerability disclosed on April 7th, 2014 by security
researchers. Hundreds of thousands of websites and Internet services use a tool called OpenSSL to help secure websites by encrypting the connection between your device and a server. “Heartbleed” takes advantage of a security flaw introduced in an extension to OpenSSL named Heartbeat. The vulnerability will essentially ask the web server to disclose a limited portion of data stored in memory. Unfortunately, this can include the private keys used to decrypt communications encrypted by OpenSSL, which may include usernames, passwords, user communications, transactions on secured websites, and other sensitive information that was considered secure and encrypted.
What and Who Is Affected?
A web server makes websites, web applications, and various Internet services available. If a compromised version of OpenSSL was installed and used, then any user or technical process that relied on its encryption technology may be affected by “Heartbleed.” The underlying reason involves the possibility that encrypted information could be decrypted through the vulnerability. Unfortunately, “Heartbleed” does not leave evidence in server logs so many users and services may have unknowingly had their private information compromised.
What Has Experts Exchange Done To Fix This Problem?
Experts Exchange did not use the offending versions of OpenSSL on any of its systems or website. As a result, the Heartbleed vulnerability does not present a risk to Experts Exchange systems or users.
What Sites Are Affected?
The following website includes a growing list of affected vendors: “Vendor Information for VU#720951” (on kb.cert.org).