April 9 2014 (Saskatoon, Sk). BlackSun Inc, a Canadian web hosting company, has responded to recent internet news items relating to the "HeartBleed" bug. BlackSun confirms that its systems are patched, and offers a revised explanation of an openSSL vulnerability that exists on millions of public internet systems.
Experts recently discovered a major flaw in OpenSSL, including banks, e-mail and social media services — that has the potential for a hacker to exposes users’ names and passwords, the content of their communications, and their data. Millions of sites that are hosted by corporations, and most major web hosting companies are at risk. Major internet players, including Facebook, Google, and Twitter had confirmed they were at risk and have taken measures to patch and protect their clients.
BlackSun would also like to confirm that the vulnerability lies with the OpenSSL software and not with any certificates purchased from BlackSun, or BlackSun CA keys. BlackSun is not aware of any real-world exploits of this flaw at this point in time.
Source: in part from Gail Sullivan, Washington Post, revised by BlackSun.ca
Here are some more critical questions and answers.
Q: Are the systems at BlackSun.ca patched and secure from the Heartbleed flaw?
A: Yes, BlackSun has several layers of security in place to protect against this flaw. There have been some servers that required an OpenSSL patch which has been in place since April 8th, 2014.
Q: What is SSL?.
A: It stands for Secure Socket Layer. It is the technology for establishing an encrypted link between a Web server and a browser. This link ensures that all data passed between the Web server and browsers remain private. “Open” SSL simply means that the code is freely available.
Q: Is there a fix?
A: Yes. It’s being distributed and implemented for download, but the bug has been around since 2011.
Q: Should you change your passwords?
A: Don’t rush to change your password at your current host until they -confirm- a fix. BlackSun users are regularily reminded to change passwords every three months as part of their ongoing best practices security plan.
Q: How can I check to see if my website is at risk!?
You can use the tool at http://filippo.io/Heartbleed/
to see if a Web site is vulnerable. If it is, don’t log in until the company confirms it has updated its SSL software and changed its security certificates. After that, you can change your password.
OpenSSL has released version 1.0.1g to fix the bug.
Q: What specific versions are affected?A: OpenSSL versions affected:
1.0.1 through to 1.0.1f (inclusive).
Q: What versions are not affected?
1.0.0 (entire branch)
0.9.8 (entire branch)
The release of OpenSSL 1.0.1g on the 7th April 2014 fixes the bug.
Q: How did this happen?
A: “The vulnerability was introduced in 2011, apparently by accident when the open source code was updated, but the error was only spotted recently. That has raised fears that some attackers may already have been exploiting it to steal information,” the Guardian reported.
Q: What exactly is the problem?
A: It is “a weakness in one feature of the [OpenSSL] software — the so called ‘heartbeat’ extension, which allows services to keep a secure connection open over an extended period of time — allows hackers to read and capture data that is stored in the memory of the system,” Gigaom explains.
Having said that, this allows the hacker the possibility of gaining access to bits and pieces of the server over time.