Update

Add a statement about Heartbleed to your website after patching and testing with a single line of code! Visit our Github page to grab the code we wrote. [April 9th, 10:30 am]

What is Heartbleed?

Heartbleed is a severe vulnerability in OpenSSL that exposes private information on secured websites (where the “lock” icon is visible) to anonymous Internet attackers. As many as two-thirds of all secure websites may have been affected.

Clockwork-hosted websites secured with SSL are safe.

The Heartbleed bug allows attackers anywhere in the world to learn the password to your bank, view your private information sent over a secure connection, or hijack your account on a vulnerable website. Websites secured with OpenSSL “bleed” sensitive information to anyone that knows how to perform the attack. This is serious.

A fix is available for websites running OpenSSL, but it’s not easy for the average user to tell if their financial institution, healthcare provider, or other sensitive website is vulnerable.

Check secure websites here using a free tool from Qualys.

Practical guidance

Today

  1. Postpone logging in to any SSL-secured websites until tomorrow.
    This will allow your providers’ operations teams to patch the bug. Examples include banks, healthcare or insurance sites, or any other sensitive websites where you log in.

  2. Ask the secured websites you use for a statement on Heartbleed or check them.
    The best way to be certain that the secured websites you use are not vulnerable is to get an official statement from the website operator that they are not vulnerable.

  3. Spread the word, especially to your non-techie friends.
    Help your friends understand the severity of the situation and encourage them to wait until tomorrow before logging in to anything important.

Tomorrow

  1. Check websites for a Heartbleed statement before logging in.
    If you can’t find one from your provider, ask for assurance.

  2. Change your account passwords.
    This is a good idea semi-annually anyway. Be certain you are changing your password after the website operator has applied the fix or issued a statement that they are not affected.

  3. Consider using a password manager.
    If you’re going to change all of your website passwords and you are not using a password manager like LastPass or 1Password, we strongly encouraged that you start using a service like these along with unique passwords for every website. (Official statements from both of these providers are at the bottom of this post.)

Heartbleed and Clockwork

If Clockwork hosts your SSL-secured website, you are safe. Heartbleed did not affect our customers’ SSL-secured websites.

Clockwork’s SSL connections are handled by appliances from KEMP Technologies. Last night, when the Heartbleed bug became public, we confirmed using their published release notes that they do not use a vulnerable version of OpenSSL.

Today, KEMP provided confirmation on their official Twitter account.

If you are a Clockwork client, contact your project manager if you have any questions or concerns. We’re here for you!