Protecting our clients' data is one of our top priorities. New vulnerabilities are discovered in various pieces of software on a daily basis, making staying on top of security updates incredibly important. We dilligently monitor the National Vulnerability Database and Common Vulnerabilities and Exposures (CVE) so we're aware of the latest threats and update our servers and software as quickly as possible.
Recently, the vulnerability known as FREAK (Factoring Attack on RSA-EXPORT) was announced. This allows an attacker to force the downgrade of connections from "strong" RSA public cryptography to the lesser "export grade" RSA public-key. By doing so, the attacker takes advantage of a vulnerability in the SSL/TLS implemntation to force both clients and servers to use weaker encryption in order to intercept and decrypt data. This vulnerability was specific to the OpenSSL specification, which is primarily found in Linux, UNIX, and OS X servers. This affects many of our clients use SSL certificates and/or secure web pages (https://) to serve their secure content.
We are pleased to announce that none of our servers were compromised by this vulnerability, and since the announcement we have update to the latest version of OpenSSL on all of our servers. A simple test can be performed from a commandline where OpenSSL is accessible:
openssl s_client -connect SERVER_IP_ADDRESS:443 -cipher EXPORT
If you have any Linux or UNIX servers on your networks, please do not hesitate to contact us for assistance in securing your servers.