TL;DR: We’re happy to report that after auditing our services Zamzar has not been affected by the Heartbleed vulnerability. Read on for more info …
Two days ago on 7th April 2014 a major security vulnerability – CVE-2014-0160 (nicknamed “Heartbleed”) was announced.
This bug has the potential to affect any site which runs “secure” HTTPS traffic (usually identified by the little padlock you see in your web browser).
Current estimates put the number of affected sites at half a million, with renowned security expert Bruce Schneier calling it “Catastrophic” … On the scale of 1 to 10, this is an 11.
Our response
We run HTTPS services here at Zamzar for our business customers, as part of our efforts to keep your files and data secure, and were naturally concerned when we heard about this issue. We’re happy to report that after auditing our services Zamzar has not been affected by the Heartbleed vulnerability – We do run the software which can be affected (OpenSSL), but the version we run – 0.9.8 – does not have this bug.
We take our responsibilities to customers very seriously, which is why we conducted a full audit of our services on the same day that this bug was announced, on the 7th April 2014.
Other sites
If you use other services and software, please be aware that they could still be vulnerable to this issue – you can check whether they are by using a number of tools to test for the Heartbleed vulnerability (although, please make sure you have permission first):
- Filippo Valsorda’s Heartbleed Test
- 1st Limited’s Heartbleed Test
- Jared Stafford’s Proof of Concept exploit in Python
Given the severity of this problem – passwords can be stolen, sessions hijacked, traffic and files spied upon – you should be asking the other websites you use what they are doing to fix the problem.
Patching your own sites
If you run your own web servers for customers you should check to make sure they are not vulnerable – If they are you should upgrade to a fixed version of OpenSSL as soon as possible by using your operating system’s package manager (e.g apt, yum or up2date) or by downloading and installing the latest release from OpenSSL.
Conclusions
We take the security of your data very seriously here at Zamzar, and will work hard to protect it on your behalf. If you have any questions or concerns about this or any other issue please do shoot us an email at info@zamzar.com.
Thanks,
The Zamzar Team.
