Jump to content

The Heartbleed Bug


Recommended Posts

Posted

http://heartbleed.com

 

This is a pretty serious vulnerability in OpenSSL which leads to discovery of private keys, logins, passwords etc. Are Evernote servers affected? Are you taking any steps to mitigate this? I rely on Evernote for everything and this makes me worry a lot.

  • Level 5*
Posted

This is a user forum, if you have a specific question about a subject like this then you are probably better off opening a support request.

 

It would be pretty unwise for an organisation to publicly admit that they have vulnerabilities or the methods they are using to close holes, so I think it's pretty unlikely that you will get a direct answer.

Posted

It would be pretty unwise for an organisation to publicly admit that they have vulnerabilities or the methods they are using to close holes, so I think it's pretty unlikely that you will get a direct answer.

 

On the contrary, if Evernote has at any point since December 2011 been vulnerable to this bug, they need to tell customers immediately.

 

Currently www.evernote.com is not vulnerable (I checked). But that does not mean it has not been in the past. If Evernote servers have never used the affected versions of OpenSSL, that would be useful to know, too.

 

Does Evernote use Perfect Forward Security? If so, when was it introduced?

 

If Evernote has ever been affected by this bug, have the SSL certificates been changed since?

 

The answers to these questions will help users evaluate their level of exposure.

 

Depending on how paranoid you are feeling, now might be a good idea to change your password and enable two factor authentication.

 

I made a quick guide to Heartbleed here.

Posted

Chat session I just had:

 

me: Are you intending to release a statement regarding the Heartbleed bug at any point? It would be useful to know if you have at any point used the affected versions of OpenSSL since December 2011 in any of your software.
Just a moment...
Jason: Thanks for contacting Evernote Support. One moment please while I review your question.
I'm personally aware of it having read the stories yesterday. I don't yet know if our company has a statement planned. I'd be glad to look into it for you and forward your request to the appropriate channels. May I follow up with you by email?
me: That would be great. Yes please.
Jason: Gladly. You have a good one.
  • Level 5*
Posted

Chat session I just had:

 

me: Are you intending to release a statement regarding the Heartbleed bug at any point? It would be useful to know if you have at any point used the affected versions of OpenSSL since December 2011 in any of your software.

Just a moment...

Jason: Thanks for contacting Evernote Support. One moment please while I review your question.

I'm personally aware of it having read the stories yesterday. I don't yet know if our company has a statement planned. I'd be glad to look into it for you and forward your request to the appropriate channels. May I follow up with you by email?

me: That would be great. Yes please.

Jason: Gladly. You have a good one.

Thanks for following up on this. Hopefully, Evernote will release a statement soon. Most of the services I use have been mum about it as well, though. Ars Technica is the only place I regularly frequent that has released a statement and fixed the problem.

http://arstechnica.com/security/2014/04/dear-readers-please-change-your-ars-account-passwords-asap/

[EDIT:] Whoops! It turns out a lot of others were even faster than Ars, and I am glad to hear that SpiderOak (an encrypted cloud storage solution I use) was not vulnerable to this flaw.

https://spideroak.com/blog/

Posted

UPDATE: SEE POST BELOW

 

https://lastpass.com/heartbleed/?h=evernote.com

 

Detected server software of Apache
That server is known to use OpenSSL and could have been vulnerable.

The SSL certificate for evernote.com valid 2 years ago at Aug 14 00:00:00 2012 GMT.
This is before the heartbleed bug was published, it may need to be regenerated. 

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...