Monday, April 14, 2014

AxCrypt, Xecrets and the OpenSSL Heartbleed security issue

Information about Heartbleed

On April 7, a security advisory was published concerning OpenSSL, the security vulnerability described has been given the popular name 'heartbleed'. OpenSSL is a software library component commonly used in web servers supporting encrypted communication using SSL with clients.

This issue probably affects the majority of web servers in the world, and is about as serious as a security issue can be. It's arguably the most dangerous vulnerability the Internet has seen.

However, it does not in any way affect the security of AxCrypt file encryption or Xecrets online password manager.

In the case of AxCrypt, simply because AxCrypt is not a web server, and does not use SSL in any way.

Xecrets is an online service, using a web server, and does use SSL but it is still not vulnerable because OpenSSL is not used, i.e. the faulty component is not part of the software used by Xecrets. There is  no indication that the Certificate Authority used by Xecrets has been compromised, so connections to https://www.axantum.com/ are still to be trusted fully as before.

You do not need to change passwords or passphrases for AxCrypt-encrypted files or your Xecrets account unless you use that same or similar password somewhere else.