The Heartbleed Vulnerability (a.k.a. “The OpenSSL Bug”) exists in implementations of OpenSSL, which is used to provide SSL/TLS content encryption HTTPS (as well as some VPNs and other services). OpenSSL is widely used, with the vast majority of its use is in open source products like the Apache web server and nginx running on Linux or other *nix operating systems. Even some networking equipment uses implementations of OpenSSL. While not used or implemented on Windows servers or IIS natively, OpenSSL can still be present and installed on Windows servers if you install it directly or as part of another product (for example, by installing the Windows version of the Apache web server.)
So, how does this affect Axosoft and you, our customers? Given that Axosoft does not use OpenSSL for encryption in our web servers, application servers, software products, load balancers, or any other server or network infrastructure, the Heartbleed vulnerability does not impact Axosoft services or our customers. Axosoft uses Microsoft Windows servers and its IIS web server for our company websites (Axosoft.com, store.axosoft.com, etc.) as well as all of our web-based SaaS products. Microsoft does not use OpenSSL for SSL/TLS encryption functionality in IIS, but instead use their own Secure Channel (SChannel) implementation to provide encryption services and functionality, and this SChannel component is not vulnerable to the Heartbleed bug.
For anyone who needs or wants more information, here is a short post on one of Microsoft’s TechNet Blogs that doesn’t get too technical: http://blogs.technet.com/b/erezs_iis_blog/archive/2014/04/09/information-about-heartbleed-and-iis.aspx
For anyone who may want a deeper dive on the technical side, there is an excellent post by Troy Hunt describing a lot of the details on Heartbleed: http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html
If you would like to test a site to see if it is potentially vulnerable, here is a site that people can use to test websites and see if they are potentially affected by Heartbleed: http://filippo.io/Heartbleed/.
Stay on the cutting edge of software development by getting innovative tips, trends and stories delivered to your inbox every month!