Heartbleed OpenSSL bug

16 views
Skip to first unread message

Abe Dane

unread,
Apr 8, 2014, 10:50:02 PM4/8/14
to tizra-...@googlegroups.com
We are currently in the process of addressing the Heartbleed OpenSSL bug, which has compromised the security of major sites all across the web (http://bits.blogs.nytimes.com/2014/04/08/flaw-found-in-key-method-for-protecting-data-on-the-internet/).  We'll follow-up with further information as soon as possible.

Abe Dane

unread,
Apr 9, 2014, 10:28:53 AM4/9/14
to tizra-...@googlegroups.com
Last night, we completed the process of patching our server software to address the Heartbleed OpenSSL bug (http://www.vox.com/2014/4/8/5593654/heartbleed-explainer-big-new-web-security-flaw-compromise-privacy).  This means that our servers are no longer vulnerable to hackers attempting to access secure information via the bug.

Although it is unlikely, the nature of the bug is such that there is no way to be 100% certain that it has not already been used to compromise our servers. Therefore, we are now in the process of completely rebuilding the servers to ensure they do not contain any previously added malicious code or other vulnerabilities.  

We'll be in touch with an update as soon as this process is complete, and will at that point recommend that all users with Admin access to Tizra sites change their passwords to ensure that their content and user data is protected.  Admin users who are particularly concerned about security may want to change their passwords now, though they will need to change them again once the rebuild is complete.

When the rebuild is complete, we would also encourage publishers to ask that their end-users change their passwords as well.  While a compromised end-user account is obviously not as potentially damaging as an Admin account, there is still the potential for unauthorized content access.

Abe Dane

unread,
Apr 10, 2014, 4:25:09 PM4/10/14
to tizra-...@googlegroups.com
We are planning to bring newly rebuilt servers online tonight sometime between 10pm and 12am EDT.  There will likely be one or more interruptions in service during this time, none of which are expected to last more than 10 minutes.  

The rebuilt servers will complete our work to address potential threats from the Heartbleed OpenSSL bug, which we first reported on this thread on Tuesday.

Abe Dane

unread,
Apr 10, 2014, 9:39:54 PM4/10/14
to tizra-...@googlegroups.com
To allow a little more time for the server rebuild, we have re-scheduled the cutover to tomorrow night.  No interruptions should occur until then.
Reply all
Reply to author
Forward
0 new messages