Connections Online and the OpenSSL Vulnerability (aka Heartbleed)
As many of you have heard, the Heartbleed vulnerability is wreaking havoc on the Internet this week. Everyone is scrambling to see which of the services they use were affected and what to do to mitigate any exposure. We have been investigating this vulnerability as it pertains to all of our Connections Online services, and the short answer everyone wants to hear is that Connections Online was not affected in any way.
All of our web sites and services are built on top of Microsoft Internet Information Services (IIS) and use Microsoft's implentation of SSL/TLS called Secure Channel. This is different than OpenSSL and is not affected by Heartbleed. As a security enhancement, we have also already upgraded our servers to use Perfect Forward Secrecy (PFS), so even if there ever was a similar vulnerability found in Microsoft's implementation, our exposure would be minimal.
We also looked into the systems we use for online backups and Related Link file storage, since those systems transport Connections Online data as well. We use Amazon Web Services S3 and JungleDisk for backups, and we use S3 for the Related Link file storage (Secure Sypher). Amazon Web Services were partially affected by Heartbleed, but Amazon has announced that they have "either determined that the services [including S3] were unaffected or have been able to apply mitigations that do not require customer action." JungleDisk released a notice that they "did not have the vulnerable (D)TLS heartbeat extension enabled," so JungleDisk was also not affected.
Bryan T. Siders