'Heartbleed' SSL vulnerability
9 April 2014
In case you've heard about the latest SSL vulnerability codenamed 'Heartbleed', our main web server, hosting 99% of our websites, has not been affected as the version of OpenSSL we have installed predates the introduction of this vulnerability.
A second server, hosting a single website, may have been vulnerable for up to 12 months, and a third server, set up in February this year, would also have been affected. Both were automatically patched earlier this week.
The details of the vulnerability, while serious, are not as dramatic as you may have heard in news reports, but it could have allowed a determined attacker to extract chunks of 'private memory' from an encrypted stream and use them to expose encrypted data and private keys.
For the average Internet user, if any of the online services you are using have been affected, you should wait for them to announce that their servers have been patched, and only then change your password.
And to be doubly safe, change your passwords for any other services that use the same or similar login.