Heartbleed OpenSSL bug – should you change your passwords?

By | April 11, 2014

You may have read about the bug in OpenSSL that allowed attackers to access random 64k byte chunks of memory.  This bug was reported by CERT on Monday, April 7, 2014.  Software vendors supplied patches on April 7 and 8.  A few of our SSL servers were vulnerable, and we had all patches applied and were able to confirm that the patches worked on all servers April 7 and 8.

Many of the most popular internet sites were affected, including Google, Facebook, Youtube, Yahoo!, Bing, Pinterest, Blogspot, Instagram, Tumblr, Reddit, Netflix, Yelp, Blogger, Dropbox, and the Washington Post (to name a few).

This was a nasty bug – it left no traces in server logs, so there’s no way to tell whether it was exploited by bad guys.  There’s an XKCD cartoon that shows how the exploit worked.

We prefer to err on the side of caution, so we have replaced our own SSL certificates and have changed important passwords.  Odds of your password being exposed on a server that we host are low, but not zero, and since many people use the same passwords on multiple sites (a really bad idea – don’t do this), we’re encouraging everybody to change their passwords.  If you use the same password on, say, Facebook, that you use with your email account, and bad guys managed to get the password from Facebook, you’re exposed.

Our Zimbra email servers were not vulnerable, but we still recommend that you consider changing your password anyway in case you’ve used the same password somewhere else.  Instructions for customers on Zimbra servers are here (use the webmail URL for your domain).  If your email account is on a Plesk server, instructions are here.  If you need  help, open a ticket at https://support.his.com/home.

Changing your password isn’t mandatory, but it’s a good idea, especially if you think you may have used the same password anywhere else.