GDCORP patched for OpenSSL (Heartbleed) vulnerability 04/09/2014

The latest SSL vunerability known as Heartbleed affects secure services provided by nearly 2/3 of all servers worldwide.

Garage Door Corporation has NO evidence of any security breach as most of our servers are IP restricted and require 2 factor authentication (and have for several years).  It should be noted that we do NOT store any payment/credit card  information on our servers. All check payments are processed as paper items by our local bank (we do not perform electronic conversion of check payments). We have been using a third-party PCI certified gateway provider for all credit card processing for many years - these transactions are encrypted at time of entry by the gateway provided swiping / software devices for which Garage Door Corporation has NO access to the security keys. We have written verification from the provider on 4/10/14 that their systems are not affected by Heartbleed.

Garage Door Corporation applied the appropriate patches to all of it servers (web, AIMS accounting system, email, file servers, blog, databases, phone system and remote administration) on 4/8/2014 within hours of the public disclosure of the problem and patches. Nearly all servers are Linux production grade residing in a major data center in Chicago, IL. All security certificates (SSL/TLS) were revoked and reissued with different security keys. All user and administrative passwords are being changed as an additional precaution. All encrypted drives are being rekeyed.

Our servers accept TLS 1.0, TLS 1.1 and TLS 1.2 ONLY. Our servers get an A- rating by ssllabs.com. This well respected provider shows our servers are NOT vulnerable to Heartbleed and are providing nearly maximum protection with SSL protocols, ciphers, key exchange methods, etc. We use the latest production grade server OS's and are kept patched regularly. We could get an A+ rating if we use Apache 2.3.3 or 2.4 (required to implement Perfect Forward Secrecy PFS)  but these are not generally considered production grade (yet) so we are keeping our existing version.

Based on the advice or our password manger provider and separate 2 factor authentication provider users are encouraged to change their passwords after systems have been patched and new SSL certificates issued. We believe every user should follow these guidelines for their personal logins. Be sure to use a strong password (UPPER and lower case letters, numbers and special characters) Our servers have required such a configuration for years. We use 20 or larger character passwords in addition to 2 factor authentication and client certificates when appropriate. The only way to not reuse your long passwords is to use a password manager and use a different password for every site.

We will update if other information is released that is pertinent.Please contact us with any questions or comments.

W Brad Hershey

Add new comment -- all comments are moderated