Technology vendors have moved to allay customers' concerns about the newly discovered Heartbleed flaw in the OpenSSL implementation of the transport layer security (TLS) protocol.
Google issued an update on 14 April telling customers a previously promised fix to its Compute Engine and Search Appliance services has been delayed as new evidence about the Heartbleed flaw hindered its patching efforts.
The tech giant added companies using the services should consider altering their systems to use custom made encryption keys while it works on a permanent solution.
"In light of new research on extracting keys using the Heartbleed bug, we are recommending that Google Compute Engine (GCE) customers create new keys for any affected SSL services," read the updated advisory.
"Google Search Appliance (GSA) customers should also consider creating new keys after patching their GSA. Engineers are working on a patch for the GSA, and the Google Enterprise Support Portal will be updated with the patch as soon as it is available."
The Heartbleed security vulnerability, as discussed in the video below, was discovered by researchers with a Finnish company called Codenomicon at the start of April and is believed to affect millions of web servers around the world.
The US Computer Emergency Response Team (CERT) has published a list of all known affected companies, but the full scale of the flaw remains unknown. Its potential for harm is significant as OpenSSL encryption is used by open-source web servers such as Apache and Nginx, which host 66 percent of all sites.
Prior to Google's update V3 collected statements and guidance from key companies to help ascertain the full impact of the Heartbleed flaw. You can see the original guidance from 10 April below.
"We added protections for Facebook's implementations of OpenSSL before this issue was publicly disclosed, and we haven't detected any signs of suspicious activity on people's accounts. We're continuing to monitor the situation closely."
"Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability. Windows' implementation of SSL/TLS was also not impacted."
"We've assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine."
Google also confirmed the vulnerability affects its Cloud SQL, Compute Engine, Search Appliance and Android services, but promised patches will arrive for them in the very near future.
The Android vulnerability oddly only affects the 4.1.1 Jelly Bean version. The Cloud SQL and Google Compute Engine fixes will be slightly more complex to fix and require separate actions from users.
As explained by Google: “We are currently patching Cloud SQL, with the patch rolling out to all instances today and tomorrow. In the meantime, users should use the IP whitelisting function to ensure that only known hosts can access their instances.
“[Google Compute Engine] customers need to manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL. Once updated, each instance should be rebooted to ensure all running processes are using the updated SSL library.”
Amazon has warned customers that the vulnerability affects its Elastic Load Balancing, Amazon Elastic Compute Cloud (EC2), AWS OpsWorks, AWS Elastic Beanstalk and Amazon CloudFront services.
The Elastic Load Balancing components affected by the flaw have been updated, though Amazon recommended: “As an added precaution, we recommend that you rotate your SSL certificates using the information provided in the Elastic Load Balancing documentation.”
The firm also recommended: “Amazon EC2 customers using OpenSSL on their own Linux images should update their images in order to protect themselves from the Heartbleed bug.”
An update is available for AWS OpsWorks and it has already successfully mitigated the issue affecting its CloudFront service.
The company’s AWS Elastic Beanstalk is the only service that remains unfixed, though Amazon confirmed: “We are working with a small number of customers to assist them in updating their SSL-enabled single-instance environments that are affected by this bug.”
"On 7 April 2014 we were made aware of a critical vulnerability in OpenSSL (CVE-2014-0160), the security library that is widely used across the internet and at Twitter. We were able to determine that twitter.com and api.twitter.com servers were not affected by this vulnerability. We are continuing to monitor the situation."
The firm said: "The Cisco Product Security Incident Response Team (PSIRT) is currently investigating which Cisco products are affected by this vulnerability. Cisco Advisory OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products was just published and already includes information on vulnerable products and others confirmed not vulnerable.
"The advisory will be updated as additional information about other products becomes available. Cisco will release free software updates that address these vulnerabilities. Any updates specifically related to Cisco will be communicated according to the Cisco Security Vulnerability Policy."
"We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue. But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit," Tumblr said.
"This might be a good day to call in sick and take some time to change your passwords everywhere – especially your high-security services like email, file storage, and banking, which may have been compromised by this bug."
"Following a comprehensive review of all our services, our security teams did identify a handful of businesses that we recommend upgrade their Payflow Gateway integrations to eliminate the risk of vulnerability. The Payflow Gateway is a payment gateway for online merchants that links your website to your processing network or merchant account," said PayPal.
"We have already been in touch with the merchants who could potentially be affected and are working with them to upgrade their integrations."
BT wants to make the public switched telephone network history within eight years
Personal data being purloined by third parties via Facebook Login API
MacOS and iOS are better off apart, says CEO Tim Cook
Or they'll no longer be entitled to updates and bug patches