As you likely heard, on Monday April 7th, news broke on the Heartbleed bug vulnerability in the OpenSSL cryptographic library and the risk to users’ accounts. This has widespread implications as OpenSSL is used by roughly two-thirds of all websites on the Internet and this vulnerability could expose a user’s login and password to hackers.
Here’s what we know and what we’re doing about it. As soon as we learned of Heartbleed on Monday we started taking steps to remove the vulnerability. These steps started Monday night and have been completed. Now that new SSL certificates are installed on all of our services, all DomainTools users will be logged out and forced to change their passwords to ensure there is no lingering exposure to Heartbleed. This needs to be done to ensure the security of our users’ accounts and login credentials.
The Heartbleed bug is a vulnerability in the OpenSSL cryptographic library that allows stealing of information normally protected by the SSL/TLS encryption used to secure the Internet. OpenSSL is open-source software that is widely used to encrypt web communications. SSL/TLS is what normally provides secure and private communication over the Internet via websites, email, IM, and VPNs. According to CNET, an attacker can exploit Heartbleed to essentially “get copies of a server’s digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.”
This is serious and will affect many of the websites that you use. According to Heartbleed.com, “Most notable software using OpenSSL are the open source web servers like Apache and nginx,…which have combined market share of over 66%.”
The risk is that attackers leveraging this vulnerability could steal your login and password and gain access to your accounts and private data. If you use the same credentials on other sites, they could gain access to those accounts as well.
What We’re Doing About It:
Our Tech Ops team started installing the fix to OpenSSL on our servers immediately on Monday night — as soon as we became aware of the vulnerability through one of the many security lists we monitor. We have been working with our CDN team as well. New SSL certificates have been obtained and installed both internally and with our CDN provider.
Because this vulnerability leaves no logging trace, there is no way of knowing whether we were compromised or not. With our servers updated and the new SSL certs in place, we need to take steps to ensure the future security of our users’ logins and data. This includes eliminating open sessions that could be compromised. To do this we need to log everyone off the DomainTools application and force a password reset. We apologize for this inconvenience, but it is to ensure the security of your personal information. DomainTools takes security very seriously and moved as quickly as possible to completely eradicate this vulnerability from our servers. With the update of the OpenSSL fix, new SSL certificates and all new login sessions and passwords, we believe we have eliminated any future exposure to the Heartbleed vulnerability.