Dealing with Heartbleed

/in ,

I am sure that everyone is aware of the news regarding the HeartBleed bug that has been discovered in some web sites. As usual the BBC has a well balanced report on the background – see http://www.bbc.co.uk/news/technology-26954540.

Happily I am very pleased to advise that the Safe4 service was not affected by this security bug as we do not and have never used the software, OpenSSL, to secure and encrypt the communication between your computers and Safe4.

In an environment where web attacks are increasingly common, there are a few things that made this problem so significant to propel it to headline news.

  • Principally it enabled access to the server’s private security / encryption keys. These keys are used to decrypt transmitted information. Once an attacker has these keys it is possible for them to decrypt all traffic that used those keys both for historically intercepted traffic and, until the keys have been changed, future traffic as well.
  • Many attacks leave a clear trace that the attack has taken place – in this specific case there is no means to detect that the attack has happened – therefore it is not possible for sites to detect if they have been the subject of an attack. Best practice therefore is to assume that sites using the affected versions of the software have been compromised.

These things combined have led to the advice for users to change their passwords in use on the internet. This is clearly a daunting task since if you follow best practice advice, which I would wholeheartedly endorse, then you probably have many tens of passwords to change. I would encourage you to consider using tools like 1Password,https://agilebits.com/onepassword‎, which help you to use much more secure passwords and manage and keep track of them securely.

Safe-4 is obviously built from the ground up around security of your information. We are proud that you trust your sensitive information to us. Although not affected by this bug we have, probably like many companies today, reviewed our system configurations and run some further tests to ensure we remain secure. As a result of the review we took the decision today to disable some outdated routines which were only used by older browsers. Independent testing has given us a clean bill of health.