Vulnerable organizations respond to encryption-breaking 'Heartbleed Bug'
Organizations are quickly responding to the encryption-breaking Heartbleed Bug
In the hours immediately following the grand disclosure of the Heartbleed Bug, a critical vulnerability in widely used versions of the OpenSSL library, most affected organizations worked feverishly to plug the hole that could result in decryption of communications that use SSL/TLS encryption.
OpenSSL 1.0.1 through 1.0.1f carry the bug and, right off the bat, internet corporation Yahoo was found to be one of the big companies running one of the vulnerable versions – but not for long after the disclosure, according to a statement emailed to SCMagazine.com on Wednesday.
“Our team has successfully made the appropriate corrections across the main Yahoo properties and we are working to implement the fix across the rest of our sites right now,” according to the statement, which adds that those properties include Yahoo Homepage, Search, Mail, Finance, Sports, Food, Tech, Flickr and Tumblr.
Yahoo did not respond to a query about whether it would adopt Perfect Forward Secrecy, a feature long wanted by the community, which would have prevented decryption via the Heartbleed Bug, Seth Schoen, senior staff technologist with the Electronic Frontier Foundation (EFF), told SCMagazine.com on Tuesday.
On the flipside, OkCupid, a popular dating website, has been using Perfect Forward Secrecy for a long while, at least for browsers that support it, Mike Maxim, head of infrastructure with OkCupid, told SCMagazine.com in a Wednesday email correspondence.
Although past traffic is secured, OkCupid was still running one of the vulnerable versions of the OpenSSL library.
“As a result of the bug, as of yesterday, we have upgraded our system to use the new, unaffected, version of OpenSSL (1.0.1g),” Maxim said. “In addition, we have reissued our SSL certificate after we upgraded OpenSSL. Users should not feel unsafe on the site. To be the most careful, a user can also change their password.”
Perhaps ironically, the Heartbleed Bug has not impacted OkCupid's traffic, Maxim said, explaining that, to the contrary, traffic right now is at an all-time high.
Meanwhile, website platform Pantheon spent the better part of 12 hours patching more than 60,000 Drupal and WordPress sites, according to a detailed blog posted Wednesday by David Strauss, CTO with Pantheon. The company fixed the problem by taking advantage of its unified, container-based infrastructure and was completely patched by Monday evening, Strauss wrote.