By Suzanne Coleman, CTO
April 9, 2014
It was announced this week that a major vulnerability has been identified in some versions of OpenSSL, and this vulnerability can result in leaking data over what were thought to be secure connections. A Security Advisory issued by the OpenSSL Project can be found at: https://www.openssl.org/news/secadv_20140407.txt
I ntrix Technology does not use any of the affected versions of OpenSSL in the Intrix Payment Gateway, or in its entry point software (for example, the Intrix Virtual Terminal, the Intrix Hosted Payment Solution, the Intrix SOAP API). Intrix TranScend software does not use any of the affected versions of OpenSSL. Since Intrix does not use the affected versions of OpenSSL, this vulnerability does not affect Intrix customers when using Intrix systems.
Other vendors’ software may contain this vulnerability, and there are unconfirmed reports that some Yahoo passwords have been obtained by exploiting this vulnerability. So, what should you do?
If you use any system that connects to another system using SSL (secure socket layer), and is used to process or transmit any data that is considered sensitive, you should contact the vendor and ask if they are vulnerable to this bug. If they are, they should already have a remediation plan that they can provide to you.
OpenSSL is an opensource toolkit commonly used by application makers when needing to provide Secure Socket Layer (SSL) connections. SSL connections are used when 2 computers or systems need to communicate via the internet in a secure manner. URLs that start with HTTPS (notice the “s”) are secure “SSL encrypted” connections between your browser and the site to which you are connected. The connections are made secure by encryption, and it is the encryption library that has the bug. For more information on what OpenSSL is and how SSL works, there are many references available, including this site at DigiCert: https://www.digicert.com/ssl.htm.
A variety of sources are providing information about the HeartBleed. As always, one should verify the source of the information before taking action based on that information. One such source of information is http://heartbleed.com/.
Intrix Technology considers security our top priority. Upon learning of this issue, Intrix immediately verified all products to ensure that Intrix environments and products are secure.