Unless you've been off grid this week, you'll have heard about the Heartbleed bug.
Summary: Hundreds of thousands of web and email servers worldwide have a software flaw that lets attackers steal the cryptographic keys used to secure online commerce and web connections, experts say.
Refractiv customers using MySiteAdmin are WordPress are not affected, however we're taking this incident very seriously, and will keep this page updated with breaking news.
Google has applied patches to key services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine.
We've done our own basic SSL tests on the following services and all have tested negative for Heartbleed, but we're waiting for official statements, which we'll link to here.
- Capsule CRM (statement)
- Zendesk (statement)
- Flashpanel (how FlashPanel helps)
- Appogee Leave
- SmartSheet (their statement)
Update [Tue 15th April 2014]: We have received the following specific advice from Google
In short: except where noted, Google's apps have been updated and new certificates have been generated. For Google users, even changing passwords is not considered a necessary precaution due to the Heartbleed issue.
Q. What do Google users need to do to protect themselves?
Since we were able to patch our services early (before the bug was widely publicized), Google users do not need to change their Google Account passwords. However, they should change passwords for other any other services that issued patches after the bug was announced. Changing their password before then could expose the new password.
Q. What Google services have you patched?
We’ve applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, App Engine, AdWords, DoubleClick, Maps, Maps Engine, Earth, Analytics and Tag Manager. Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services. If you are a Google Cloud Platform or Google Search Appliance customer, or don’t use the latest version of Android, read our blog post to learn what you should do.
Q. Sites that were vulnerable to Heartbleed are being urged to revoke their SSL certs and issue new ones. Has Google taken that step yet?
After patching, new keys should be created and used to generate new certificates to prevent future exploitation. That's why we're recommending that our partners issue new keys if they've been affected by the bug, and we've rotated keys for our services as needed.
Further to this we suggest also that you consider the following method: Set Chrome To Check For Certificate Revocation.
See details on gAppsTips here: http://gappstips.com/chrome-tips/view/208/set-chrome-to-check-for-certificate-revocation