Security gap Heartbleed
A big issue in the last two days was the vulnerability called “Heartbleed”, which affects, for example, web stores, Internet banking or in general all web services accessed over SLL (“https”).
Whether such “https:” connections effectively were/are a security risk depends on the technology used on the corresponding server. Specifically, it is bound to some specific versions of OpenSSL that allowed for the unnoticed extracting of sensitive data, such as login passwords, providing that such information had been entered over this webpage.
IT services
Various ETH central IT services have used affected versions of OpenSSL. For a list of the services concerned, as well as the non-affected services, please consult
This page will be completed and refreshed with new status information on a regular basis.
Change passwords
Please note that, although a service might have been affected, it does not mean that passwords were stolen; unfortunately this is just impossible to verify and one have to assume a residual risk. For this reason, we recommend to change passwords used on affected systems, after the systems are up to date. Expected date: 16.4.2014.
Of course these considerations apply identically to other, privately used services outside of the ETH. (the following tool can be used in order to check a public website: http://filippo.io/Heartbleed)
Posted on
in News English
