CWRU IT experts respond to April OpenSSL (”Heartbleed”) vulnerability

A major security vulnerability named Heartbleed was discovered on April 7 and has the potential to impact all Internet use between users’ computers and servers that use Open SSL (webpages that start with https). The security vulnerability permits the theft of some information, including user IDs and passwords, in addition to any information shared between the user and the server that would normally be protected during the session.

Since Tuesday morning, Information Technology Services and information technology administrators for the university’s schools and departments have been evaluating university-managed servers and have confirmed that none of the core critical IT services using SSL, including Single Sign-On or case.edu, are affected by this vulnerability because they do not use the version of OpenSSL that is vulnerable.

Although there has been no evidence that a CWRU website has been compromised, IT administrators know the vulnerability has existed since March 2012. They urge CWRU users to subscribe to multifactor authentication with popular services, such as Google, Yahoo, Facebook, iCloud, Evernote and Twitter.

CWRU users are advised to exercise caution with websites they visit. The exploit can affect both servers and users’ Web browsers. Users can expect all major browsers to address this issue with an update (e.g. Chrome has already released an update). As server and site owners double their efforts to patch their servers, users may be notified to change their passwords with the service providers. IT experts anticipate a new wave of phishing messages using this vulnerability as an excuse to steal login credentials and compromise accounts. Beware of spam messages.

Users also can test sites they use with Heartbleed Test Site. In addition, users can ensure the security of their Web browsers and plugins by using the CWRU Browser Check plugin.

More technical information can be found in the Qualys SSL Testing site.

At this time, CWRU IT administrators are not asking users to change their CWRU network passwords.

Please contact the CWRU Service Desk at 216.368.HELP with additional questions or for assistance.