So, what’s Heartbleed?
Heartbleed is a bug in the underlying OpenSSL software that is used on most secure SSL sites on the internet. The bug allows attackers to read fragments of memory from the webserver, which can include very sensitive data such as login passwords, SSL encryption keys and credit card numbers. Essentially any data that is sent to or processed by a secure website.
The bug has been in the OpenSSL software for about 2 years, though it only affects your website if you run an secure SSL site and if the OpenSSL software is a particular version which is affected by this bug. There is, unfortunately, no way to know if anyone has made an attack on a website via this method since it leaves no traces. Now the information about this issue is in the open website and hosting providers are working to patch systems to ensure they are secure.
What we’re doing about it
This issue only affects a small number of our clients, all of whom we have contacted directly. Our hosting provider Rackspace is applying patches to the OpenSSL software to ensure it is no longer at risk of this bug.
For those clients with secure SSL sites running on affected OpenSSL software we will also do the following:
- Regenerate SSL certificate keys, this is a preventative measure in case the keys have been compromised
- Update our admin passwords to affected websites
What you need to do
If your website was affected you will have been contacted directly by Studio 24. We recommend you change your admin passwords to any affected websites immediately.
From a personal point of view we strongly recommend you change your password on any sensitive web accounts you have. A list of websites known to be affected is linked below in the More info section. For example, Google and Facebook were affected so if you have a Gmail or Facebook account you need to update your password. For those services that offer two-step authentication it is recommended you enable this. Both Facebook and Google offer two-step authentication.
- Announcement from the security team who discovered Heartbleed
- List of websites known to be affected by Heartbleed – it’s recommended you change your password on these sites
- Excellent video from Tom Scott on what Heartbleed actually is
- A more technical explanation of the bug from Matthew Green