10 April 2014

Heartbleed SSL Vulnerability

Briefly, a bug was discovered recently in the OpenSSL library, which is used by many webservers to secure websites. The vulnerability is now patched on all major sites, but for a day or so it would have allowed an attacker on an unpatched site to read data from the server, possibly including passwords of people logged on.

Accordingly, some affected sites such as Yahoo are asking people to change their passwords.
You may receive legitimate email from other organizations, including TRIUMF, asking you to change your password.
You may also receive fraudulent emails telling you to change a password. In general, do not click on links in email but logon to the site in the normal way and use your "my account" page.
Any request to change a TRIUMF password would come from TRIUMF staff, by name, and would include a phone number. If in doubt, ask.

This is not an ongoing threat - there is no issue with logging on to a patched server.

The main TRIUMF website www.triumf.ca, and the mailservers, are not vulnerable to this attack and never have been. Some other servers have been patched. For more details, please ask.

If you think you may have logged in to a vulnerable web service - anywhere - in the period April 6-9 2014, you might consider changing your password. It's probably a good idea to change passwords regularly in any case, because viruses and hacked websites can steal passwords and sell them on months later. Personally I now suggest something like xkcd-style triple-word passwords, and to keep at least a few separate ones for different purposes. Don't have all your eggs in one basket - you can't trust websites not to lose your password even if you yourself are careful.

Mitigation on servers

The bug mainly affects Linux webservers, in particular CentOS 6.5, SL 6.5 and Ubuntu 12. There should be updates in the repositories since April 8. You just need to apply them, and then restart the webserver.

Changing passwords

See the Hit List and Top Sites status below.
If you go to a secure website, and look at its certificate (click the padlock, or the location bar logo, and look at security details), then if the password was issued between April 5 - April 10 2014, the server probably was vulnerable and you should probably change your password for that site. The Top Sites pages have this information for the most popular websites, as of 12 April.

More Information:

April 2014 Andrew Daviel