We have been approached by customers and content partners to ask whether Bango has been affected by the ‘Heartbleed Bug’. We can confirm that none of our systems have been affected.
We want to ensure you are fully aware of the ‘Heartbleed Bug’. This bug has the potential to affect the Open SSL implementation of the TLS (Transport Layer Security) protocol. Details of the bug, vulnerabilities and how to reduce exposure can be found at http://heartbleed.com
This vulnerability has been widely addressed since being discovered and announced on the 7 April 2014. The bug has existed since December 2011, so before being addressed the bug created the possibility for a malicious user to exploit a vulnerability in the Open SSL coding to access the system memory in client and server software potentially rendering visible data that might include security data, such as encryption keys, private certificates passwords.
The protocols HTTPS, FTPS and TLS are potentially vulnerable to this bug. The good news is that Bango does not use the Open SSL library in its products and services. We have ensured those vendors providing hardware and software systems, and support to Bango, are also not affected. All of our systems have been scanned for the vulnerability both internally and externally; none are affected.
However, we highly recommend you review and change your passwords you use to access Bango Services; if you use the same password on any other system which was affected by ‘Heartbleed’ then these credentials could be used to compromise your access to Bango. As a matter of best practice, you should have a unique password per system or service.
There is no requirement for us to change our SSL keys and certificates as a result of this bug. Bango rotate our SSL keys and certificates regularly and as a matter of good security practice, we recommend you do the same.
We also recommend that you test your own systems regularly for security flaws, and you should also be aware that Open SSL use is not limited to webservers. It is also used widely in hardware and software network products, so we recommend that you test for this specific vulnerability in any of your own systems that you use to connect to Bango.