A major new security bug named “Heartbleed”, which could have severe implications for the entire Web, has been discovered this week. This bug in the encryption technology OpenSSL, which is used by about two-thirds of Web servers, can scrape a server’s memory, where sensitive user data is stored, including private data such as usernames, passwords, and credit card numbers.
What is the ‘Heartbleed’ bug?
According to the Condenomicon, the security firm that discovered the bug:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
You can find out more information about the bug here and more information about OpenSSL on this link.
Is oneSafe at risk?
No, and here is why:
The Heartbleed bug pertains to the OpenSSL library, which is a program used to transmit encrypted data on the Internet. So that means that if you’re using oneSafe without any sync, the bug is not relevant.
Now, if you’re using iCloud or Dropbox to sync your data, while these systems might be at risk in some cases, the data protected and synchronised using oneSafe is safe, because:
• Before any data leaves oneSafe to be stored on any cloud, it is first encrypted using another technology called AES256. The HeartBleed bug doesn’t affect this technology.
• The AES256 ciphering is performed using your oneSafe master password that is never transmitted to any cloud.
You can see this is as a multi-layer protection: on the Internet data is protected using OpenSSL, in oneSafe’s case this data is first protected using AES256. It would take a bug in both systems at the same time to break it. Impossible.
What should I do?
Even if there’s no risk from oneSafe’s point of view, some of your passwords may have been stolen from the affected websites that you use.
We highly recommend you to:
• Change your passwords immediately, especially the critical ones such as iBanking passwords, Paypal, …
• Make sure you use different passwords for different websites so as to limit risks on your side, if any of your password gets stolen.
We understand you might be worried as this event has shaken the whole internet. We see this as a test of our application, and a proof of how robust is its security architecture.
The most important thing is that you keep using different passwords for different websites, so as to limit risks if any of your passwords gets stolen.