The heartbleed issue has come up a few times in conversation over the last week, so I wanted to clear things up a little.
The bottom line: change your passwords on any site you use that appears in the list below.
A few more details:
– Heartbleed is a bug in a very specific library called OpenSSL. This is an implementation of the very commonly used Secure Socket Layer (SSL) that is used by many encrypted systems, most importantly the web (HTTPS).
– The internet is not broken. HTTPS (those are the websites with the little padlock icon) is not broken.
– Some web servers MAY have been hacked into at some point, so any encrypted information sent to them MAY have been unencrypted by a hacker.
– Typical encrypted information includes passwords.
– YOU SHOULD change your passwords for every web site that you use and may have been compromised. See the list at http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ Note that this list includes gmail, facebook and github. And yes, you should change all of their passwords.
Relating to Cloudify/XAP:
– Java does not use OpenSSL, so java web servers were not compromised. That includes any web servers that run as part of Cloudify or XAP.
– Most of the web servers compromised were those running the Apache web server (httpd) or Nginx.
– If there is a user out there running either httpd or nginx as part of their solution, and they are using HTTPS, they may be vulnerable. This includes the XAP Load Balancer agent (integrates with httpd) or the Cloudify recipes for nginx or httpd.
– SSH is not compromised. The popular OpenSSH server does use OpenSSL, but it does not use the problematic features that opened the security hole.
Finally, I strongly recommend you use a password manager. Both lastpass and keepass are good options.
If you have any questions, please feel free to post them below.
Now go change your passwords. Really, go do it now.