I've been getting questions this week about the Heartbleed exploit that affects SSL (Secure Socket Layer) website servers. Here's what you need to know.
- Heartbleed is a serious exploit and a severe vulnerability. You should definitely be concerned about any website you use that offers secure services, and make certain that they are taking steps to remove the vulnerability.
- Our official recommendation is that all of our clients change all of your passwords on all sites that have secure servers (website addresses of secure servers start with https:// ). We recommend that you change passwords regularly.
- Heartbleed only affects websites that have secure services installed using OpenSSL. Websites that do not have secure services are not vulnerable.
- Our long-time hosting partner, Dreamhost, was not running a version of OpenSSL open to the exploit on any hosted websites. There were a few mail servers that were affected but Dreamhost moved very quickly in response to the exploit and none of our sites at this time are vulnerable.
- SquareSpace, our latest hosting and website partner, is also safe and not vulnerable to the Heartbleed exploit.
- PayPal, our long-time payment gateway solution, is not vulnerable to the exploit.
- Stripe, our latest payment gateway solution, moved very quickly in response to the exploit and had everything patched hours before any public exploit code was released. They are not vulnerable to the exploit.
- For the geeks among us, here are several more detailed explanations of what Heartbleed is and how this caught almost the entire Net off guard: CryptographyEngineering.com: Attack of the Week, OpenSSL Heartbleed | Vox.com: Heartbleed Explained
- If you have any questions or concerns about Heartbleed or any other security issues, please contact us.
The best explanation of how the Heartbleed exploit actually works that I have found is done by the awesome webcomic XKCD. Click the image on the right or the link below for viewing in full awesomeness.