denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)
Denise ([staff profile] denise) wrote in [site community profile] dw_maintenance2014-04-08 08:16 pm
  • Add Memory
  • Share This Entry

"Heartbleed" security vulnerability

For those who have seen reference today in the press to the "Heartbleed" security vulnerability in OpenSSL, we'd like to reassure you that although we (like a large portion of the internet) were running the affected software, we patched our servers last night and were no longer vulnerable from that point.

We have no reason to believe that anyone was exploiting this vulnerability against us or that any user data has been compromised. We'll be changing our security certificates for extra confidence.

On the other hand, the nature of this vulnerablity means that it's impossible for a website to know for absolute certain whether someone was exploiting it. If someone was exploiting the vulnerability, against us or against any other website, they potentially have access to any information you sent to the site, including your username/password for the site and any data you sent to the site under HTTPS. It's a good idea to change your passwords pretty much everywhere, but don't do it until you can verify that a site is no longer vulnerable.

If you have any questions, feel free to ask!
Flat | Top-Level Comments Only
the_marshal: (Default)

[personal profile] the_marshal 2014-04-09 04:10 pm (UTC)(link)
Just to clarify: I actually happened to purchase some services from DW yesterday, but my passwords from here and my banking website are entirely different. Since you don't store credit card numbers there's not chance it got swiped right?
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2014-04-09 10:25 pm (UTC)(link)
Well, the way this bug works is that there's a chance anyone who was exploiting it could watch "over the shoulder" of all encrypted traffic in addition to having access to things like passwords and the like, so if you made any payments at all, anywhere, between the time this bug was introduced (December of 2011) and now, there's a chance your card number was compromised. It's a very tiny chance -- there's no evidence this was being exploited "in the wild" before the disclosure was made -- but still, it's a chance. This isn't just something that we were affected by, it's something that pretty much the whole internet was affected by.

It's not a huge risk, though. Change your banking website password, keep an eye on your credit card and banking statements for a few weeks, but it's not "cancel all your credit cards" level of risk and I wouldn't worry too much if I were you. (I'm in the same boat as you of having used my credit card online somewhere post-disclosure-and-pre-patch and I'm not worried, and where I used it was a much higher-value target than DW was.)
the_marshal: (Default)

[personal profile] the_marshal 2014-04-09 10:28 pm (UTC)(link)
I see! Thank you.

I've already changed my password over at my banking website - it seemed to be clear according to the previously linked tools - so I'll just keep an eye on things and not let myself worry about it too much.

Thank you for taking the time to explain it for me. :)
Flat | Top-Level Comments Only