Security Breach: The Internet's Heart is/was Bleeding
I remember that my grandmother used to be afraid to shop online. This was mainly because her accountant made her fearful about using a credit card on the Internet.
Eventually, we convinced her that using a credit card online was safe. Websites use "bank-level encryption," we'd say.
The heart and soul of this online encryption is a set of standards which define how the encryption works on the Internet. These standards are considered central to Internet security. One of the more popular libraries of code is called Open SSL.
It was announced late Monday that Open SSL, used to power encryption for an estimated two-thirds of the Internet, had a vulnerability that went undetected for two years.
That's why this bug is being called Heartbleed. I've embedded an explanatory video at the bottom of this post.
Given the nature and scope of the issue and potential risks to nearly all information online, this is a Big Deal. (notice the capitals)
Edthena promises layers of security to our users, so this was a major development that needed immediate attention. That's why we want to share how we responded:
- Within an hour of the security patch being released, we successfully updated and restarted our servers. This meant that we were no longer vulnerable to the security attack.
- Within 18 hours, we revoked our existing cryptographic keys and completed the necessary steps to generate and implement new keys for accessing our data.
In short, while Heartbleed presented a potential threat to our data, we acted immediately to deploy a fix and restore the highest level of security to our systems and for our users.
The ongoing concern with the Heartbleed exploit is that servers storing and transmitting sensitive data will not be upgraded and remain vulnerable to this type of undetectable security attack.
Essentially every site needs to take steps to upgrade security measures, and they'll need to communicate those upgrades to users like we've done here.
In the meantime, you can test any site for whether they've installed the updates by visiting //filippo.io/Heartbleed
Image from Heartbleed.com