Heartbleed SSL exploit - how my1login protects your business

Like all good IT security businesses, my1login became aware of the Heartbleed OpenSSL bug in the last 24 hours.

Heartbleed turns out to be a programming error in the OpenSSL code that is used by a huge swathe of the world’s software to manage the secure connections between web browsers and web servers. By exploiting this programming error it is possible for an attacker to view the contents of this “secure” channel between your web browser and the server. So, even if you use the https version of websites and see the padlock symbol, a hacker would potentially still see the data that's being transmitted.

The bug was reported in the last 24 hours and OpenSSL had fixes available this morning. Here at my1login we have patched our servers with no reported downtime for any of our customers.

While Heartbleed is a serious issue for some providers, my1login actually protects users against the vulnerability. With my1login your usernames, passwords and secure notes are encrypted before they are transmitted, so even if an intruder attempted the exploit, they would only obtain encrypted data that is useless to them.

How my1login protects your business

There's one certainty in IT security - that nothing is 100% secure. Given enough time and money anything can be broken. The only way to stay secure is to make it a numbers game - to encrypt your data in such a way that it would take a prospective hacker millions of years to break it. This is where my1login comes in, using AES 256 encryption to make it impossible for hackers to access your data unless they have the key used to encrypted it - a key that is not stored by my1login and only known to you. Even my1login doesn't know the encryption key (your key phrase) that is used to encrypted your business logins, so even we cannot see your unencrypted passwords.

From the Heartbleed.com website that reported the bug:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

You can find out if any sites that you use still have this vulnerability by going to http://filippo.io/Heartbleed

If you’d like to see how my1login can improve your online security and help protect you against hacks, try out the my1login password manager for free, or leave your email address and we’ll send you an information pack.

Further Reading

• Graham Cluley's article on the Heartbleed Vulnerability
• BBC article on the bug
• Heartbleed.com