The Password Safe
|
|
You are here: Vulnerability responses
>
Heartbleed
HeartbleedOn April 7th, 2014 we all had to learn that the Internet is even less secure than we all expected it to be. The SSL heartbleed bug rendered a vast majority of services (web, email, apps) insecure for almost two years. For more details go to heartbleed.com. To get a feeling on how severe this is read Bruce Schneider's blog article on the case. The Passvault servers have been updated to use the fixed openssl version. Check it out: http://filippo.io/Heartbleed/#passvault.net or http://possible.lv/tools/hb/?domain=passvault.net. The passvault.net SSL certificate has been re-issued, too. Unfortunately a successful attack can't be recognized as it leaves no trace anywhere so no one can be sure which data has been compromised and when. What does this mean for data stored in the Passvault? Passwords are stored encryptedly in the Passvault database. This database was and is safe. To my understanding the vulnerability could potentially be used to eavesdrop into the encrypted communication between the client (you) and the server. Although this scenario is unlikely there is no guarantee it never happened. The very unlikely worst case scenario is that an attacker could read usernames and passwords that were modified or viewed during a session. However I did not find any indication that such an exploit really exists. I strongly encourage all users to change ALL passwords as soon as possible. And I really mean ALL passwords. At least I hope that the Passvault can be of some help identifying which passwords you have, when they were created, and to keep track on which have already been updated. |