A major security flaw was discovered a few days in a key piece of security software called openssl used by more than 60% of websites in the world. This security flaw has caused sysadmins to scramble to apply fixes as quickly as possible.

All onCourse systems were patched for this flaw within 12 hours of the bug becoming public knowledge. We know that major banks in Australia as well as companies like Google and Facebook scrambled also to patch their systems.

Good technical information can be found here: http://heartbleed.com/. A less technical overview can be seen here: http://techcrunch.com/2014/04/07/massive-security-bug-in-openssl-could-effect-a-huge-chunk-of-the-internet/

In short, this is a very serious issue which leaks information about private memory areas of the server to an attacker. It is not possible to detect and there is no way to retrospectively identify what information might have been leaked. However, the issue only become widely known about in the last 12 hours. It is hoped that attackers will not have had time to learn of the flaw, devise an attack and implement it. The attack requires a high level of technical knowledge. Also, no data from the database was directly exposed, however it is possible that data being displayed to different users on the website could have been accessed.

This would not have compromised data on the server itself, just data in transit between users and the website. This also had no effect on the security inside onCourse itself since we don’t rely on the openssl library there.

As an additional security measure we are also in the process of replacing every security certificate on all hosted sites with new ones. There is a small but finite chance that these certificates were compromised by the previous security hole.

We recommend that users wait a week or so for other providers to patch this hole and then change their passwords on all websites they log into remotely. This is a good opportunity to use a password manager (even the built-in ones in Chrome/Firefox are good) and use a different random password on every website. This is really important.