“Heartbleed” vulnerability update

Posted

It is possible that you have read the news this week of a serious security vulnerability in the “openssl” library that undergirds a large amount of SSL/TLS traffic on the internet: CVE-2014-0160 is the official reference to what is being called the “heartbleed” vulnerability. It was named such because the specific problem is with the OpenSSL library’s implementation of the new heartbeat extension built into the TLS/DTLS protocol. Exploiting this vulnerability permits a remote attacker to read the memory of an impacted system remotely, without leaving a trace.

Yes, it is a scary bug: Smashrun Ops takes security very seriously. There are two important things to note at this time.

1. The infrastructure directly supporting, and with access to, your customer data was not impacted by this security flaw at any point in time. The tier that handles your login and demographic information, and the certificate that encrypted your credit card information, were not impacted because that infrastructure does not use the openssl library at all.

2. Smashrun owns supporting infrastructure, that does not have direct access to customer data, that was running a vulnerable version of OpenSSL. This infrastructure has been completely patched, and is believed to be exploit-free.

We thank you for trusting us with your personal information. And we thank you for your continued patronage.

Smashrun Ops

Comments are closed.