Since the discovery of the Heartbleed bug about a month ago, companies have been scrambling to fix security issues while the general public has been warned to monitor online account activity and change passwords (though not everyone has felt the urgency, apparently).

As a software and systems development company, we went into overtime to fix security vulnerabilities for our clients, and we’re happy to say that we quickly patched all issues related to Heartbleed. Almost all our clients are hosted using Amazon Web Services. SSL decryption is handled by Amazon's Elastic Load Balancers, which were patched 24 hours after the vulnerability was announced. Customers’ individual application servers were also vulnerable to Heartbleed, but are firewalled off from the Internet at large, so it would not have been possible for an agent to attempt a Heartbleed attack against these servers. All the same, OpenSSL was updated on all servers to prevent any possibility of an attack.

Do You Need to Change Your Password?

There's no evidence that Heartbleed was exploited prior to the public announcement of the vulnerability. So really, it's only necessary to update your password if you logged into a vulnerable site between when Heartbleed was announced and when it was fixed on that server. (A one-week period should be sufficient for most sites.)

However, if you need to change a password, and you use that password across multiple websites, be sure to change it everywhere. We recommend that you start using a password service like LastPass.

See this Mashable article for sites whose security may have been compromised and for which you might want to change your passwords. Furthermore, the Heartbleed Bug Health Report has a list of sites currently vulnerable, listed by popularity. However, almost all sites of any import were patched a few weeks ago, so really it's only the dregs that remain.

What’s the Fallout?

For such a horrible exploit, the damage has been well contained. Companies were very quick to patch the vulnerability and some of the more dangerous aspects of the vulnerability (the ability to access the server's private SSL key) are not easy to execute. And even if an attacker is able to retrieve the SSL key, he would still need to be in a privileged position and you would need to be targeted in order for him to carry out a successful man-in-the-middle attack against you using the key.

In short, be vigilant. Use unique passwords (with help from Lastpass) and enable 2-factor authentication where available.

For more comprehensive information on the Heartbleed bug, check out these resources:

Illustration credit: XKCD


An infrastructure audit that tests the health of your whole system