You have likely heard by now about the "Heartbleed" SSL vulnerability (CVE-2014-0160). Put simply from the perspective of a user of the Internet, this vulnerability means that for the last two years, any secure "your-browser-shows-a-lock" site you went to might have not really been secure, and an attacker could have been intercepting your passwords or sensitive data just like they can on "regular" non-SSL sites. Or, an attacker might discover information about a server hosting an SSL site that could help them in an attempt to compromise (hack) that server.
The Linux Foundation takes security very seriously. We, like many others, use the popular OpenSSL library to secure our web services. Within hours of the publishing of the OpenSSL advisory Monday and the LWN news report, we began patching our affected SSL services, which we completed Monday night/Tuesday morning (07:45 UTC). All SSL sites we manage have had newly-generated certificates installed.
It's nearly impossible to know for sure, due to the nature of the vulnerability, how much the Heartbleed vulnerability was used to snoop on secure data. We recommend for our sites the same as for other sites: first, watch for a statement to come out from your financial institutions, email providers, and others, which shares whether they were affected. Start changing your passwords. Use different passwords on different sites and store them in a password safe like KeePass, LastPass or 1Password. That way, if any sites that remain vulnerable leak your password, it won't affect any other sites. Check back on sites that post statements after you changed the password, and then change the passwords again if needed.
We highly recommend our users change the password on their Linux Foundation ID—which is used for the logins on most Linux Foundation sites, including our community site, Linux.com—for your own security and as part of your own comprehensive effort to update and secure as many of your online credentials as you can.
- Linux Foundation ID: https://identity.linuxfoundation.org/
Wishing you a secure 2014,
Eric Searcy, IT Infrastructure Manager
The Linux Foundation