On Monday, April 7th the Internet community became aware of a security flaw in a very common technology used to secure communication between clients and servers. The nature of this bug means that for many months malicious attackers could have been capturing traffic that we all thought was well secured.
As soon as a patch was available (early Tuesday morning for most HSU systems) ITS staff patched all affected systems. We requested replacement SSL certificates for all servers that handle usernames and passwords and put these in place on Thursday, April 10th.
We urge all users of campus systems to change their HSU passwords.
For off campus accounts, we recommend that you change passwords you use as well. It's difficult to recommend timing, because a lot of organizations are not publicly announcing their status in terms of addressing this vulnerability. A spring cleaning password change this weekend would be a great idea, just keep in mind that you might get an email from one of your online service late next week urging you to change that password again because they just finished cleaning this up.
- CNET: A list of the top 100 sites on the web and their Heartbleed security status.
- Forbes: See if sites you use are vulnerable to Heartbleed and how to change passwords.
Please contact the Technology Help Desk or call them at (707) 826-HELP (4357) if you have any questions.