Reports of a flaw in one of the basic building blocks of Internet security have hit the press this morning, and in typical fashion there is a lot of FUD (Fear, Uncertainty, and Doubt) and sensationalism happening. We have already been contacted by a number of our customers about their exposure, so we wanted to get ‘the real story’ out as quickly as possible.
First – what exactly happened? There is an open source software program named OpenSSL that helps to encrypt traffic between Internet users and the servers they communicate with. Think of going to someshoppingsite.com for example and purchasing a new pair of shoes. When you check out, you get the padlock in the toolbar letting you know that the information you are giving to the site is encrypted. Well it turns out that if the site is using certain versions of this OpenSSL software, the bad guys can actually intercept the information you are sending. If you gave the site your credit card, identity, or any other confidential information, you may have shared that with the bad guys without ever knowing it.
Second – what are the mitigating factors? Well, if the site you are dealing with doesn’t use OpenSSL, there is no issue. Also, it is only specific versions of OpenSSL that are affected, and some of the affected versions are even labeled as beta (pre-release) software. So if the site you are dealing with is using the latest version of OpenSSL, you don’t have any issue. Finally, this problem has actually been around for about 2 years, so if you’ve been a victim, it is probably too late to do anything. Don’t believe the sensationalism that is in the press today – it is only a story today because this vulnerability was just publicly announced.
Finally – what should you as an Internet user do to take precautions? Well, a company named Qualys has put out a site where you can enter the address for a website and test it to see if it is vulnerable or not (i.e. whether it is running one of the affected versions of OpenSSL). Just go to https://www.ssllabs.com/ssltest/ and type in a web address to see how secure the site is.
As is always the case, we have proactively notified all of our itSynergize Managed clients and ensured their systems are secure and that their users are aware and protected to the maximum extent possible. If you have any questions or would like to discuss the technical aspects in greater detail, please feel free to reach out.