« Feedback is Like Hugging a Fuzzy Teddy Bear | Main | Cat Videos Are My Competition for User Happiness: Assessing the Benefits of Our Video Tool »

Security Breach: The Internet's Heart is/was Bleeding

| No comments

I remember that my grandmother used to be afraid to shop online. This was mainly because her accountant made her fearful about using a credit card on the Internet.

Eventually, we convinced her that using a credit card online was safe. Websites use "bank-level encryption," we'd say.

heartbleed[1].pngThe heart and soul of this online encryption is a set of standards which define how the encryption works on the Internet. These standards are considered central to Internet security. One of the more popular libraries of code is called Open SSL.

It was announced late Monday that Open SSL, used to power encryption for an estimated two-thirds of the Internet, had a vulnerability that went undetected for two years.

That's why this bug is being called Heartbleed. I've embedded an explanatory video at the bottom of this post.

Given the nature and scope of the issue and potential risks to nearly all information online, this is a Big Deal. (notice the capitals)

Edthena promises layers of security to our users, so this was a major development that needed immediate attention. That's why we want to share how we responded:

  • Within an hour of the security patch being released, we successfully updated and restarted our servers. This meant that we were no longer vulnerable to the security attack.
  • Within 18 hours, we revoked our existing cryptographic keys and completed the necessary steps to generate and implement new keys for accessing our data.

In short, while Heartbleed presented a potential threat to our data, we acted immediately to deploy a fix and restore the highest level of security to our systems and for our users.

The ongoing concern with the Heartbleed exploit is that servers storing and transmitting sensitive data will not be upgraded and remain vulnerable to this type of undetectable security attack.

Essentially every site needs to take steps to upgrade security measures, and they'll need to communicate those upgrades to users like we've done here.

In the meantime, you can test any site for whether they've installed the updates by visiting //filippo.io/Heartbleed

Image from Heartbleed.com

Notice: We recently upgraded our comments. (Learn more here.) If you are logged in as a subscriber or registered user and already have a Display Name on edweek.org, you can post comments. If you do not already have a Display Name, please create one here.
Ground Rules for Posting
We encourage lively debate, but please be respectful of others. Profanity and personal attacks are prohibited. By commenting, you are agreeing to abide by our user agreement.
All comments are public.

Follow This Blog


Most Viewed on Education Week



Recent Comments