You’ve likely already heard about Heartbleed by now. This massive security vulnerability in OpenSSL protocol has left people scrambling to change their passwords left, right and center. But let us be upfront by saying that all ManageWP user data is safe and secure. No data has been breached. You don’t need to take any action regarding our site or services.
Whenever there’s a security issue on the Internet, it’s normal to panic. After all, your personal information could be at risk! But if we’ve done anything right here at ManageWP, it’s been to ensure the safety of your personal information.
Let’s take some time to get familiar with Heartbleed then discuss how our security measures have made it so your sites are not effected by this bug.
What is the Heartbleed Bug?
Heartbleed is a pervasive bug that makes it so people can steal your personal information and data, even if it’s protected by SSL/TLS encryption. In case you were unaware, SSL/TLS makes it so any information that’s transferred over the Internet is secure. It’s used to ensure privacy and security for a wide variety of password-protected things like email, messaging, VPNs, and more.
But with the bug in place, this normally encrypted information is up for grabs. Attackers were able to eavesdrop on communications, steal data directly from the services and users, and even impersonate services and users. By repeating the attack over and over again, it’s possible for someone to set up a fake version of a website or service to steal private info and even intercept private messages. As you can imagine, this is a big problem.
What makes Heartbleed unprecedentedly threatening, however, is its pervasiveness. It’s estimated that up to 66% of all websites on the Internet have been affected by the bug. That’s two-thirds! And in some cases, the usernames, passwords, credit card numbers, and other protected data that was submitted on affected sites have been compromised. According to CNET, the bug also makes it possible for attackers to steal digital keys that are used to encrypt communications, affording them access to internal documents that companies would rather keep under lock and key.
Understandably, the first course of action for users out there is to change their passwords for sites and services that may have been affected by Heartbleed. Most have been pretty forthcoming so far about whether or not they’ve been affected.
The bug was discovered by Codenomicon, a security firm, and Neel Mehta, a Google researcher. They both found it on the same day, albeit independently of one another. The name “Heartbleed” might leave some scratching their heads. It’s a rather romantic name for a bug. While it’s technical name is actually CVE-2014-0160 — which is the line of code where the bug was found — the term “heartbleed” is a play on words from an OpenSSL extension that’s actually called “heartbeat,” according to Vocativ. The heartbeat protocol keeps connections open, even when data isn’t currently being shared. Ossi Herrala of Codenomicon named it Heartbleed because heartbeat was “bleeding out” important info.
We once broke down the entire process of how we handle security, but it bears some repeating now. While you might have to change your passwords on other sites on the web right now, ManageWP was developed with ironclad security in mind. In fact, no sensitive information about your sites is stored on the ManageWP server and you are never required to enter a password for any of your blogs. Anytime you want to make a modification within one of your blogs, you do so within the blog itself.
But how do we make this work? It all happens seamlessly thanks to the Worker plugin that’s installed on your sites. This is installed very carefully, by the way, to ensure your sites are 100% secure.
What Does the Worker Plugin Do?
Let’s go into a bit of detail about the Worker plugin. So, ManageWP sends encrypted and hashed messages from our site to the Worker plugin. This information is processed and accepted from our servers. However, this information can only be accepted once. They are completely one-time use. So, even if someone were to decrypt the whole message, he wouldn’t be able to use it again.
We make all of this possible through the use of a nonce based system. Essentially, a cryptographic nonce is a random number issued during authentication that can’t be used again. So, the nonce is made invalid after the Worker plugin accepts the message. It’s one-time use and completely secure.
Similarly, passwords are never saved on our end of things. Plus, we never transmit them during our communication with the Worker plugin. so, by managing your sites through ManageWP you are not exposed to the Heartbleed vulnerability while managing your sites – even if your hosting server or website is not patched.
There has been a bit of confusion surrounding ManageWP and the use of OpenSSL. A cursory glance at the news surrounding the Heartbleed bug shows that it is sites using OpenSSL that have been affected.
Now, OpenSSL is just an open-source version of standard SSL (Secure Sockets Layer) or TLS (Transport Layer Security). The versions affected are 1.0.1 through 1.0.1f.
However, specificity is important here. ManageWP never ran any of the affected OpenSSL versions, and prior to the discovery of the bug, the OpenSSL version we used was older than the affected versions.
Communication between ManageWP and your sites is handled by OpenSSL, but the version used isn’t one of those that’s been affected by Heartbleed. And even if was, you would still be safe because of the aforementioned one-time use nonce system. So, even if information had been compromised, a hacker wouldn’t be able to use it because of the way encryption is handled. This is why offering multiple layers of security is so important. And we’re actually seeing a lot of sites switch over to two-part verification processes in an effort to prevent issues like this from arising ever again.
While you might be stuck resetting passwords on a lot of sites right now, ManageWP doesn’t have to be one of them. Our dedication to security through the use of the Worker plugin and one-time use encryption ensures your data is safe.
With regard to other sites and services? It’s a good idea to change your passwords if the site has acknowledged they were affected by the breach. But CNET advises you wait to find out if the site has patched the issue first before going to the trouble of resetting your personal information. You’d just potentially reveal your new password to a hacker and have to change it again once the issue is fixed. So please, wait for notification.
Many sites have put up official notices about whether or not they’ve been affected and their site’s current security status. While you’re all good here for ManageWP, you might want to check out CNET’s running list of the top 100 sites and their status. Many weren’t compromised at all but some were and a password change is recommended. Google, Facebook, and YouTube users, we’re looking at you! And you might also want to check out the Internet Heartbleed Health Report, which shows the Internet’s 1,000 most popular sites that are still currently vulnerable to attacks.