Jump to content

The Heartbleed Bug

glebd

Recommended Posts

glebd

glebd 3

Posted
Posted

http://heartbleed.com

 

This is a pretty serious vulnerability in OpenSSL which leads to discovery of private keys, logins, passwords etc. Are Evernote servers affected? Are you taking any steps to mitigate this? I rely on Evernote for everything and this makes me worry a lot.

Link to comment
  • Level 5*
Metrodon

Metrodon 2,184

Posted
  • Level 5*
Posted

This is a user forum, if you have a specific question about a subject like this then you are probably better off opening a support request.

 

It would be pretty unwise for an organisation to publicly admit that they have vulnerabilities or the methods they are using to close holes, so I think it's pretty unlikely that you will get a direct answer.

Link to comment
Rob Fisher

Rob Fisher 7

Posted
Posted

It would be pretty unwise for an organisation to publicly admit that they have vulnerabilities or the methods they are using to close holes, so I think it's pretty unlikely that you will get a direct answer.

 

On the contrary, if Evernote has at any point since December 2011 been vulnerable to this bug, they need to tell customers immediately.

 

Currently www.evernote.com is not vulnerable (I checked). But that does not mean it has not been in the past. If Evernote servers have never used the affected versions of OpenSSL, that would be useful to know, too.

 

Does Evernote use Perfect Forward Security? If so, when was it introduced?

 

If Evernote has ever been affected by this bug, have the SSL certificates been changed since?

 

The answers to these questions will help users evaluate their level of exposure.

 

Depending on how paranoid you are feeling, now might be a good idea to change your password and enable two factor authentication.

 

I made a quick guide to Heartbleed here.

Link to comment
Rob Fisher

Rob Fisher 7

Posted
Posted

Chat session I just had:

 

me: Are you intending to release a statement regarding the Heartbleed bug at any point? It would be useful to know if you have at any point used the affected versions of OpenSSL since December 2011 in any of your software.
Just a moment...
Jason: Thanks for contacting Evernote Support. One moment please while I review your question.
I'm personally aware of it having read the stories yesterday. I don't yet know if our company has a statement planned. I'd be glad to look into it for you and forward your request to the appropriate channels. May I follow up with you by email?
me: That would be great. Yes please.
Jason: Gladly. You have a good one.
Link to comment
  • Level 5*
GrumpyMonkey

GrumpyMonkey 4,319

Posted
  • Level 5*
Posted

Chat session I just had:

 

me: Are you intending to release a statement regarding the Heartbleed bug at any point? It would be useful to know if you have at any point used the affected versions of OpenSSL since December 2011 in any of your software.

Just a moment...

Jason: Thanks for contacting Evernote Support. One moment please while I review your question.

I'm personally aware of it having read the stories yesterday. I don't yet know if our company has a statement planned. I'd be glad to look into it for you and forward your request to the appropriate channels. May I follow up with you by email?

me: That would be great. Yes please.

Jason: Gladly. You have a good one.

Thanks for following up on this. Hopefully, Evernote will release a statement soon. Most of the services I use have been mum about it as well, though. Ars Technica is the only place I regularly frequent that has released a statement and fixed the problem.

http://arstechnica.com/security/2014/04/dear-readers-please-change-your-ars-account-passwords-asap/

[EDIT:] Whoops! It turns out a lot of others were even faster than Ars, and I am glad to hear that SpiderOak (an encrypted cloud storage solution I use) was not vulnerable to this flaw.

https://spideroak.com/blog/

Link to comment

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...