Vulnerable organizations respond to encryption-breaking 'Heartbleed Bug'

Share this article:
Vulnerable organizations respond to encryption-breaking 'Heartbleed Bug'
Organizations are quickly responding to the encryption-breaking Heartbleed Bug

In the hours immediately following the grand disclosure of the Heartbleed Bug, a critical vulnerability in widely used versions of the OpenSSL library, most affected organizations worked feverishly to plug the hole that could result in decryption of communications that use SSL/TLS encryption.

OpenSSL 1.0.1 through 1.0.1f carry the bug and, right off the bat, internet corporation Yahoo was found to be one of the big companies running one of the vulnerable versions – but not for long after the disclosure, according to a statement emailed to SCMagazine.com on Wednesday.

“Our team has successfully made the appropriate corrections across the main Yahoo properties and we are working to implement the fix across the rest of our sites right now,” according to the statement, which adds that those properties include Yahoo Homepage, Search, Mail, Finance, Sports, Food, Tech, Flickr and Tumblr.

Yahoo did not respond to a query about whether it would adopt Perfect Forward Secrecy, a feature long wanted by the community, which would have prevented decryption via the Heartbleed Bug, Seth Schoen, senior staff technologist with the Electronic Frontier Foundation (EFF), told SCMagazine.com on Tuesday.

On the flipside, OkCupid, a popular dating website, has been using Perfect Forward Secrecy for a long while, at least for browsers that support it, Mike Maxim, head of infrastructure with OkCupid, told SCMagazine.com in a Wednesday email correspondence.

Although past traffic is secured, OkCupid was still running one of the vulnerable versions of the OpenSSL library.

“As a result of the bug, as of yesterday, we have upgraded our system to use the new, unaffected, version of OpenSSL (1.0.1g),” Maxim said. “In addition, we have reissued our SSL certificate after we upgraded OpenSSL. Users should not feel unsafe on the site. To be the most careful, a user can also change their password.”

Perhaps ironically, the Heartbleed Bug has not impacted OkCupid's traffic, Maxim said, explaining that, to the contrary, traffic right now is at an all-time high.

Meanwhile, website platform Pantheon spent the better part of 12 hours patching more than 60,000 Drupal and WordPress sites, according to a detailed blog posted Wednesday by David Strauss, CTO with Pantheon. The company fixed the problem by taking advantage of its unified, container-based infrastructure and was completely patched by Monday evening, Strauss wrote.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.