Security gap Heartbleed

A big issue in the last two days was the vulnerability called “Heartbleed”.

Heartbleed affects, for example, web stores, Internet banking or in general all web services accessed over SLL (“https”).

Whether such “https:” connections effectively were/are a security risk depends on the technology used on the corresponding server. Specifically, it is bound to some specific versions of OpenSSL that allowed for the unnoticed extracting of sensitive data, such as login passwords, providing that such information had been entered over this webpage.

IT services

Various ETH central IT services have used affected versions of OpenSSL. For a list of the services concerned, as well as the non-affected services, please consult

http://www.id.ethz.ch/servicedesk/heartbleed

This page will be completed and refreshed with new status information on a regular basis.

Change passwords

Please note that, although a service might have been affected, it does not mean that passwords were stolen; unfortunately this is just impossible to verify and one have to assume a residual risk. For this reason, we recommend to change passwords used on affected systems, after the systems are up to date. Expected date: 16.4.2014.

Of course these considerations apply identically to other, privately used services outside of the ETH. (the following tool can be used in order to check a public website: external page http://filippo.io/Heartbleed.)

JavaScript has been disabled in your browser