I’ve seen a lot of media coverage over the last few days about the Heart bleed OpenSSL security hole which has affected many internet platforms. According to media outlets the likes of Amazon Web Services (AWS), Imgur, OKCupid and Eventbrite have been directly affected.
The first thing to say is that Mhub is not affected in any way. But, I did want to take the opportunity to talk about why Mhub and our customers haven’t been affected. The Mhub platform is not built, or in anyway utilises, public cloud services like AWS or OpenSSL.
When new security vulnerabilities are announced, we always check our systems to confirm we are not affected. Usually, we do not make this public but, given the publicity surrounding Heart bleed and the large number of online services that are affected, we thought that in this case we would be clear that Mhub has never been vulnerable. Mhub uses a commercial solution for SSL rather than the free OpenSLL system. The software we use has been thoroughly tested to ensure it does not suffer a similar problem.
Heart bleed is as particular problem for services that are hosted with budget cloud services such as Amazon Web Services – Amazon are taking time to patch their infrastructure systems and individual cloud server instances will need to be patched manually. Mhub controls its entire infrastructure itself so we can ensure that everything is always up to date with security patches.
Mhub isn’t affected, but what about all the systems that are?
Essentially, Heart bleed is a way for a malicious attacker to get access to the memory contents of a server that is running a vulnerable version of the OpenSSL software. This means that anything held in the server memory can be extracted, including confidential data and even passwords.
There are an estimated 500,000 servers with the OpenSSL software installed, so if you hold confidential personal or business data with any internet-connected service, you should definitely check with them to confirm whether they have been affected and whether they have already installed an update to solve the problem.
If a service that you use has been affected, that does not necessarily mean that data has been stolen – just that it is possible. To date, there are no reports of actual data being stolen. However, once the system is no longer vulnerable, it would be wise to change passwords or other authentication information just in case.
More information about the Heart bleed vulnerability can be found at http://heartbleed.com/