Heartbleed OpenSSL Bug and D-PHYS Services

On Monday the public was made aware of a severe bug in OpenSSL, a cryptography library which is used as the core of many cryptographically secured IT services. Since the bug was in the Heartbeat extension it has been named "Heartbleed".

This bug allowed attackers to stealthily access parts of the memory used for cryptographic actions, i.e. it may include digital keys in use on servers or passwords transferred over encrypted connections.

If you used any password-protected D-PHYS web services or the D-PHYS mail server between 12th of December 2013 (or used the BackupPC web-interface since end of 2012) and Tuesday, the 8th of April 2014, there is a very small chance that your D-PHYS password and possibly other transmitted data may have been leaked to an attacker. We currently have no indication that this has actually happened on our servers.

To be safe, you might want to change the password of your D-PHYS account and any other account where the same password is used. See this Heise article for a discussion (in German) about whether you should change your password or not.

Services and systems not directly affected by the heartbleed bug are SSH, Mosh, PGP, GPG and NTP. So your SSH and PGP/GPG private keys do not need to be changed unless you used the D-PHYS password as passphrase or they weren't protected by a passphrase at all. SSH host keys should not be affected either. (If you do not know what these terms mean, don't bother: you are very likely not affected anyways.)

Tags: , , , , , , , , ,