Vulnerable organizations respond to encryption-breaking 'Heartbleed Bug'

Share this article:
Vulnerable organizations respond to encryption-breaking 'Heartbleed Bug'
Organizations are quickly responding to the encryption-breaking Heartbleed Bug

In the hours immediately following the grand disclosure of the Heartbleed Bug, a critical vulnerability in widely used versions of the OpenSSL library, most affected organizations worked feverishly to plug the hole that could result in decryption of communications that use SSL/TLS encryption.

OpenSSL 1.0.1 through 1.0.1f carry the bug and, right off the bat, internet corporation Yahoo was found to be one of the big companies running one of the vulnerable versions – but not for long after the disclosure, according to a statement emailed to on Wednesday.

“Our team has successfully made the appropriate corrections across the main Yahoo properties and we are working to implement the fix across the rest of our sites right now,” according to the statement, which adds that those properties include Yahoo Homepage, Search, Mail, Finance, Sports, Food, Tech, Flickr and Tumblr.

Yahoo did not respond to a query about whether it would adopt Perfect Forward Secrecy, a feature long wanted by the community, which would have prevented decryption via the Heartbleed Bug, Seth Schoen, senior staff technologist with the Electronic Frontier Foundation (EFF), told on Tuesday.

On the flipside, OkCupid, a popular dating website, has been using Perfect Forward Secrecy for a long while, at least for browsers that support it, Mike Maxim, head of infrastructure with OkCupid, told in a Wednesday email correspondence.

Although past traffic is secured, OkCupid was still running one of the vulnerable versions of the OpenSSL library.

“As a result of the bug, as of yesterday, we have upgraded our system to use the new, unaffected, version of OpenSSL (1.0.1g),” Maxim said. “In addition, we have reissued our SSL certificate after we upgraded OpenSSL. Users should not feel unsafe on the site. To be the most careful, a user can also change their password.”

Perhaps ironically, the Heartbleed Bug has not impacted OkCupid's traffic, Maxim said, explaining that, to the contrary, traffic right now is at an all-time high.

Meanwhile, website platform Pantheon spent the better part of 12 hours patching more than 60,000 Drupal and WordPress sites, according to a detailed blog posted Wednesday by David Strauss, CTO with Pantheon. The company fixed the problem by taking advantage of its unified, container-based infrastructure and was completely patched by Monday evening, Strauss wrote.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.