There has been much talk about the Heartbleed Bug lately. Everything from the Canada Revenue Agency having to shut down its Income Tax website to to Blackberry needing to patch its BBM service. It has been a scary time indeed for those of us who rely on the Interwebz for our data. Within days of the announcement though, I started receiving emails from some of my Cloud Service Providers advising me of how they patched the Bug and that all was right with the world…for now.
While I was concerned enough to change every password to every website that I subscribe to, I am surprised as to how many companies did not bother to notify me directly that they were taking actions to protect me. There were major sites all over the globe that were affected by this security hole…and progressive companies should have no problem with telling their customers that they were aware of the issue and had taken actions to protect their customers information!
Just letting you know that Koding is unaffected by the security vulnerability known as Heartbleed.
On April 7 a serious security vulnerability (CVE-2014-0160) was disclosed in the OpenSSL library. Like much of the internet, we responded to this critical issue by conducting a security review of our servers.
We’ve never used the OpenSSL library. Koding built its own proxies using Go and Go has its own implementation of TLS. Therefore, you don’t need to change your password (unless you used the same password on other sites that’ve been affected by Heartbleed).
We did a thorough investigation anyway and we’ve concluded that none of servers were affected by this bug, nor was any user information compromised. Our engineering team will continue to monitor the situation.
At Koding we take security and transparency seriously, which is why we’re emailing you today to let you know your information is safe. No additional step is required on your behalf. If you have any questions feel free to reply to this.
Simple enough, they put my concerns at ease quickly and while I still changed my password I was able to move on and get on with my day.
When it comes to Security and Transparency, why aren’t more companies doing this? Is it really that hard to let their customers know that our Privacy and Security are important to them? For years, Cloud Service Providers have battled with the concept that their services are not as secure as building internally but yet…when it comes to the single greatest threat to our online lives in years…there was basically silence and even though there is some outcry that Google kept the issue a secret…I still trust the fact that my information is as safe with Google and for the most part I believe that even though there is a lack of transparency with many Cloud Service Providers, they are doing their best to make sure our information is safe.
What are your experiences with your Cloud Providers? Did you get any Notifications of fixes and patches?