original image from heartbleed.com, sticking plasters added by us.
In March 2014, our WordPress service was moved to new hosting. We moved from a system that was not susceptible to the Heartbleed bug, to a new system that, ironically, exposed us to the openssl TLS weakness.
This was patched when the first major public announcements of the exploit were released.
The site certificate in use at the time was revoked, and a new one generated from a new private key.
We need people to change the passwords they use for logging on to any of the WordPress sites we host. If you use the domain authentication mechanisms we have deployed on some sites, then you will need to change the password associated with your University login.
For the short time we were exposed, it was possible for a remote hacker to extract information from our WordPress service. We generally use SSL and TLS to secure the transfer of things like passwords between a web client and the wordpress server. If the Heartbleed bug had been exploited on our site, then passwords used to log onto the various sites we host may have been captured.
- Heartbleed.com (http://heartbleed.com/)
About the bug, tools for checking, strategies for mitigation, etc
- OpenSSL (http://www.openssl.org/)
OpenSSL is an open source project providing tools and libraries for using SSL/TLS security (encryption/authentication) in client and server software.
- xkcd explanation (http://xkcd.com/1354/)
A simple explanation of how you might exploit the bug