We've been working hard at Zetetic to assess the impact for our Tempo Time Tracking customers resulting from the recent OpenSSL security disclosure known as the OpenSSL Heartbleed bug.
This issue has undermined the security of many internet platforms by allowing attackers to read arbitrary memory from services using the popular OpenSSL library to provide secure communications over the web. This attack can allow extraction of private keys, session data, and user information from affected websites.
Zetetic's public Tempo web services do use OpenSSL, but are not secured by a version that is vulnerable to the Heartbleed attack. In addition Tempo utilizes Amazon Web Services, widely reported to be susceptible to the Heartbleed attack, but does not terminate SSL on the Elastic Load Balancers that were discovered to be vulnerable.
As a result, users who currently rely on Tempo for time tracking should not need to be concerned with Heartbleed exposure through the Tempo web sites.
Even though the Tempo services should not be directly affected, out of an abundance of caution, we have still taken the step of revoking and reissuing new SSL Certificates for all Zetetic web applications.
This is a good time to review the strength of your application passwords. You should change your Tempo password immediately if you:
Are currently sharing the same password for Tempo as any other application
Are currently using a weak password for Tempo that doesn't meet the recommendations below
We recommend using a strong alphanumeric password with a combination of upper case, lowercase, digits, and meta-characters of the maximum length possible to allow for convenient entry.
We take security seriously and we are happy to communicate with customers about the details of this issue, or how to take appropriate action, so please don't hesitate to contact us if you have any questions.
blog comments powered by Disqus