Password Update Required to Address OpenSSL Heartbleed bug

| April 9, 2014


heartbleed

As you likely heard, on Monday April 7th, news broke on the Heartbleed bug vulnerability in the OpenSSL cryptographic library and the risk to users’ accounts. This has widespread implications as OpenSSL is used by roughly two-thirds of all websites on the Internet and this vulnerability could expose a user’s login and password to hackers.  

Here’s what we know and what we’re doing about it.  As soon as we learned of Heartbleed on Monday we started taking steps to remove the vulnerability. These steps started Monday night and have been completed.  Now that new SSL certificates are installed on all of our services, all DomainTools users will be logged out and forced to change their passwords to ensure there is no lingering exposure to Heartbleed. This needs to be done to ensure the security of our users’ accounts and login credentials.

About Heartbleed:

The Heartbleed bug is a vulnerability in the OpenSSL cryptographic library that allows stealing of information normally protected by the SSL/TLS encryption used to secure the Internet. OpenSSL is open-source software that is widely used to encrypt web communications. SSL/TLS is what normally provides secure and private communication over the Internet via websites, email, IM, and VPNs. According to CNET, an attacker can exploit Heartbleed to essentially “get copies of a server’s digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.”

This is serious and will affect many of the websites that you use. According to Heartbleed.com, “Most notable software using OpenSSL are the open source web servers like Apache and nginx,…which have combined market share of over 66%.”

The risk is that attackers leveraging this vulnerability could steal your login and password and gain access to your accounts and private data.  If you use the same credentials on other sites, they could gain access to those accounts as well.

What We’re Doing About It:

Our Tech Ops team started installing the fix  to OpenSSL on our servers immediately on Monday night — as soon as we became aware of the vulnerability through one of the many security lists we monitor.  We have been working with our CDN team as well.  New SSL certificates have been obtained and installed both internally and with our CDN provider.

Because this vulnerability leaves no logging trace, there is no way of knowing whether we were compromised or not.    With our servers updated and the new SSL certs in place, we need to take steps to ensure the future security of our users’ logins and data. This includes eliminating open sessions that could be compromised.  To do this we need to log everyone off the DomainTools application and force a password reset.  We apologize for this inconvenience, but it is to ensure the security of your personal information.  DomainTools takes security very seriously and moved as quickly as possible to completely eradicate this vulnerability from our servers.  With the update of the OpenSSL fix, new SSL certificates and all new login sessions and passwords, we believe we have eliminated any future exposure to the Heartbleed vulnerability.

 

Share

Tags:

Category: security

About the Author ()

As the Vice President of Marketing and Product at DomainTools, Jeff has over 20 years in the high-tech industry. Starting out as a design engineer at Intel and spending the last 14 years in marketing and product management, Jeff has worked in big companies and startups, on technologies as vast as Cluster File Systems to InfiniBand software to IT Financial Management SaaS to Marketing Performance Management SaaS. Throughout all of it, Jeff maintains a passion for producing great products and driving successful high-growth businesses.

Comments (1)

Trackback URL | Comments RSS Feed

  1. Anonymous says:

    Great to hear you guys taking action swiftly.

    Though, I am not an account holder, but I use domaintools regularly.