Every now and again, a security threat comes along which really forces the Internet’s collective back against the proverbial wall. Heartbleed, a gaping flaw in the OpenSSl encryption standard, is such a threat.
First announced by security researchers on Monday, a plethora of the web’s biggest companies and services were quick to react, including popular Content Management System Drupal, used by many of our clients.
What is heartbleed?
In a nutshell, Heartbleed is a recently discovered vulnerability in OpenSSL, which is used by most websites (including Facebook, Amazon, Gmail and a slew of others) to safely transmit the data you as a user want to keep safe.
It does this by turning data such as log-in credentials, uploaded content and potentially even payment information into seemingly random characters. Thanks to an encryption key, the intended recipient can access this information the way you entered it.
Heartbleed gives hackers a way to access those encryption keys, and use them to syphon a wealth of valuable data from the services they target.
How has Drupal been affected?
According to a post on Drupal’s official blog by Chief Technology Officer, Joshua Mitchell, the service has thus far escaped unscathed from the wrath of Heartbleed. Still, Mitchell insists that Drupal are taking no chances when it comes to protecting their users. He wrote:
“Members of the Drupal Association staff, Drupal Security Team and Drupal Infrastructure Team have reviewed Drupal.org's potential exposure to the vulnerability.
“As of now, we have no indication that Drupal.org was attacked using this vulnerabililty. That said, the nature of the vulnerability makes an attack difficult to detect and we prefer to be cautious.”
What are Drupal doing about Heartbleed?
In his blog post, Mitchell insists that the company took swift action in forcing password resets on users with admin or project repository access.
“While we have only forced the password reset for some users, we recommend that all of our users change their passwords,” he says.
Beyond that, Drupal have gone ahead with a range of measures designed at keeping their service safe and secure. These include:
Installed new SSL certificates based on a new private key
Revoked the old SSL certificates
Replaced the private strings (drupal_private_key and drupal_hash_salt) which are used for a variety of security related purposes in all Drupal sites
Replaced the private key used by the “bakery” single-sign-on system on Drupal.org
Removed all active sessions
Verified the email addresses in use today match those in use a week ago.
For more information about Drupal, how Heartbleed could affect your website or to discuss your web development needs, contact our senior consultant Adam on 020 7693 6134 or firstname.lastname@example.org