CodeSphere is ok …

WAIT … Just wanted to let everyone know that our hosting provider patched and tested our servers before the information hit the street.  As there was a lack of public exploit at the time our provider patched everything. It is highly unlikely that your passwords on CodeSphere were compromised. However, all of certificates at our hosting provider are being reissued just in case.  Feel free to check for yourself at http://heartbleedcheck.com/

Heartbleed - CS is Safe

What is it?

The Heartbleed bug is a serious vulnerability in the OpenSSL cryptographic software library. That library is what is used to secure information traffic across much of the Internet. Because the vulnerability itself could leak/bleed information and it involved the “Heartbeat” function of OpenSSL, the vulnerability was nicknamed “Heartbleed.”

This vulnerability allows hackers to steal information normally protected by the SSL/TLS encryption used to secure the Internet providing communication security and privacy for  web sites, email, instant messaging and some virtual private networks.  It compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content which would allow attackers to eavesdrop on communications, steal data from the services and users and to impersonate services and users.

Do I care?

You may or may not care, but my suggestion is if you get an email from a service or site you use that asks you to change your login information. That you do it. Being the paranoid person I am, I tend to NOT click the link in any emails asking me to change information, I simply go the site as I normally would and make my changes.

The vulnerability has been there since March 2012. I do not know of any exploitations of it and have not seen any reports. Unfortunately, there is no way to tell if someone has used this vulnerability against you or not, it leaves no trace. The only way to tell will be if “honeypots” aka traps are set and then attackers try it.

There are versions of OpenSSL that do not have the vulnerability, so if one of those versions has always been used then no worries.

Who uses OpenSSL?

That would be most of the internet.  That includes some of the big name network equipment vendors.

Want more Information?

Start here at the heartbleed site.

 

Enhanced by Zemanta