As many of you have probably read, a new discovery called the Heartbleed Bug has potentially made about 75% of websites insecure by leaving large amounts of data vulnerable to hackers. The security hole exists on the server side, not in the Checkbox software, so some Checkbox customers may be affected while others are not. Read on to learn more about the Heartbleed Bug and whether or not your Checkbox installation may be affected.
What is the Heartbleed Bug?
From the security firm Codenomicon:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Is your Checkbox Online (hosted) account vulnerable to Heartbleed?
Heartbleed does not affect the Checkbox application directly; it is a vulnerability for webs servers using OpenSSL. Checkbox Online servers (accounts hosted with Checkbox) DO NOT use OpenSSL and therefore are NOT vulnerable to the Heartbleed Bug. You do not need to take any further action if you host your Checkbox account with us, as your data will not be compromised by Hearbleed.
Is your Checkbox Server installation vulnerable to Heartbleed?
If you host your Checkbox Server account yourself, your server and therefore your Checkbox installation may be vulnerable to Heartbleed if you use OpenSSL. If you do not use OpenSSL, you do not need to do anything further. If you do use OpenSSL, you should immediately test for vulnerability to Heartbleed by using any of the numerous tools available online. Some that we recommend are:
If you have any questions or aren't sure what type of Checkbox account you have, please contact our support department. - The Checkbox Survey Team