OpenSSL Heartbleed Security Vulnerability


Recently the OpenSSL project released an update to address a security vulnerability nicknamed Heartbleed (CVE-2014-0160) in their OpenSSL version 1.0.1 through 1.0.1f.

What versions of the OpenSSL are affected?

The status of different versions are listed blow:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

The bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

How to test for this vulnerability

It's important to remember that just because your browser is not vulnerable, some of the websites you visit may still be unsafe. Testing before you continue to use them will help mitigate some risk.

LastPass have created a web-app that will tell you what kind of encryption a site uses, and when the encryption was last updated.

Fillipo Valsorda and SSL Labs have built a Web app that will test whether a site is still vulnerable to the Heartbleed bug.

Bluebox Security, have built an Android App, that will scan your Android phone to test whether it uses vulnerable versions of OpenSSL, either in its operating system or in any of your apps.

Are any Neurotechnics products affected?

No. After extensive analysis, we have confirmed that Neurotechnics does not use any of the vulnerable versions of OpenSSL in any of our products... In fact, we don't use OpenSSL at all on our servers, it's only used to retrieve meta-data for some of our online services that connect to third parties, and those services have all been confirmed safe.

So, you can rest assured that all of the data stored on our servers, and all traffic to and from our servers is safely and securely encrypted, and that all of our SSL certificate keys are secure.

Please see the Heartbleed website for more information on this topic, as well as how to test for and protect your own applications and servers against this vulnerability.