Important security advisory: Heartbleed
Published on 10 April 2014
We don't often issue security advisories like this, but this is the most serious one in the last five years or so, and potentially affects every one on the Internet. No need to panic, but website owners and managers need to act fast to minimise the potential effects.
A serious bug (named “Heartbleed") in a library that is used on approximately 2 out of 3 servers on the Internet to provide secure communication (e.g. HTTPS web traffic, with the padlock in the address bar) has recently been reported.
The bug allows an attacker to obtain the decryption keys that protect web traffic over HTTPS, and consequently, to listen in on transmitted data that would otherwise be secure.
This means it is possible that user passwords and server data have been compromised, though to our knowledge there is not yet any evidence that anyone has maliciously done so, either for IC sites or any others. However there is no way to know for sure. The main thing we can do now is to act fast to minimise the effects of the exposure, and prevent attacks from happening in future.
The bug affects all of us at an individual level: in brief, any password you may have transmitted over HTTPS on any site in the past 2 years might have been compromised. However unlikely, there’s no way to know for sure. For maximum protection, you should:
- not log in to https sites that are still vulnerable to the bug. You can check that here.
- (sigh) change every password on every site you have used online in the past two years, but only after first confirming that the site has fixed the bug.
We recommend using a password manager such as 1Password to generate and store unique passwords for every site, to minimise your exposure to online security breaches.
If you operate a website that has an HTTPS connection:
Use this site to check your https site for vulnerability. If your site is vulnerable, you should apply the appropriate update on your server, change admin passwords at least, and reissue relevant SSL certificates as a precaution - or ask whoever manages your server to do so.
IC will do this for all our sites, and will be in touch to advise any site owners that are affected. If we manage your server, we will apply the update and reissue SSL certificates for you.
If you, or anyone you know, needs help with ensuring your site isn't vulnerable, please get in touch and we can arrange to help.