Executive Summary

 

“Heartbleed” is the name given to a recently discovered vulnerability in the widely-used cryptographic software called OpenSSL.  Early estimates indicate that up to 70% of the Internet is affected by Heartbleed.  The vulnerability has been fixed in an updated version of OpenSSL.  No Protected Trust services were directly vulnerable.  However, a supplier application we use for remote desktop support was (past tense) vulnerable.  That supplier provided an update, which we immediately installed.  We also regenerated the relevant SSL certificates and, to ensure ongoing security, we logged out all users of our email encryption service and are requiring only those users to choose a new password.  No further action is required for your security on our site or services, but we do encourage you to consult your own security team to determine appropriate actions related to other online sites and services.

Heartbleed FAQ

1. What is Heartbleed

“Heartbleed” is the name given to a recently discovered vulnerability in OpenSSL (see CVE-2014-0160).

2. Is there a fix for Heartbleed?

Yes. Soon after it was discovered and reported, the OpenSSL Project released an updated version (1.01g) that patches the vulnerability.

3. What is OpenSSL

OpenSSL is an open source implementation of the Secure Socket Layer (SSL) and Transport Layer Security (TLS) cryptographic protocols. SSL is the basis for the “s” in the “https” website prefix that indicates a secure and encrypted connection (e.g., http://ptmain.wpengine.com/).

4. Why is it called "Heartbleed"?

It’s a play on words based on a TLS extension called “Heartbeat” (because it provides keep-alive functionality) and OpenSSL’s implementation of that extension, which is what created the vulnerability.

5. How widespread is Heartbleed

Early estimates indicate that up to 70% of the Internet is affected by Heartbleed due to the widespread use of OpenSSL to protect sensitive communications.

6. How old is Heartbleed?

Although Heartbleed was only discovered and named this week, the vulnerability has existed in earlier versions of OpenSSL for approximately two years.

7. Can I test whether a site was exploited using Heartbleed?

No, this is impossible. But see the next question.

8. Can I test whether a site is still vulnerable to Heartbleed?

Yes. The following site provides this service free of charge. This site is not affiliated with Protected Trust and we make no representations about its security or accuracy.

http://filippo.io/Heartbleed/

9. What should I do if a site I use is still vulnerable to Heartbleed?

To ensure the security of your information, do not use the site until you have verified that it is no longer vulnerable to Heartbleed.

10. What should I do if a site I use is no longer vulnerable to Heartbleed?

Follow the instructions provided by each site. At a minimum, this should include changing your password.