This repository has been archived by the owner on Aug 12, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
sites.yml
195 lines (162 loc) · 8.29 KB
/
sites.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
#### Example (also hidden) #####
- site: Yoyodyne, Inc
homepage: http://www.example.com/
blogpost: blahblah-url
safefrom: whenever
comment: "this was fixed on 2014-04-12 but they finish getting the old certificate revoked for three more weeks, thus the later date shown; this affects their Xmail and Xcalendar products too."
hidden: true
################################
- site: ACM (Association for Computing Machinery)
homepage: http://www.acm.org
unaffected: true
comment: by sign-in prompt, a notice that “ACM has verified that its servers are not impacted by the Heartbleed OpenSSL vulnerability.”
- site: Amazon (consumer)
hidden: true
consumer: true
- site: Amazon Web Services AWS (for developers)
homepage: http://aws.amazon.com/
blogpost: http://aws.amazon.com/security/security-bulletins/aws-services-updated-to-address-openssl-vulnerability/
comment: this only fixes heartbleed, each developer-customer needs to do the rest of the clean-up steps, after 2014-04-08
developer: true
- site: Ars Technica
homepage: http://arstechnica.com/
blogpost: http://arstechnica.com/security/2014/04/dear-readers-please-change-your-ars-account-passwords-asap/
safefrom: 2014-04-08
consumer: true
- site: CAcert
homepage: https://www.cacert.org/
blogpost: https://blog.cacert.org/2014/04/openssl-heartbleed-bug/
consumer: true
safefrom: 2014-04-10
comment: The certs generated with CAcert are fine, but the systems used to log into CAcert may have been compromised. Note that while the blog post is dated the 8th, the list of fixed systems is made in an undated update to the original post; we know the update was in place by the 10th.
- site: CeroWRT
homepage: http://www.bufferbloat.net/projects/cerowrt
blogpost: http://www.bufferbloat.net/news/50
developer: true
safefrom: "3.10.36-4"
comment: CeroWRT is a router OS distribution, and certain remote services (VPN) are exposed and affected. You need to upgrade the OS to avoid being vulnerable
- site: Cisco
homepage: https://cisco.com/
blogpost: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
comment: With Cisco many of the product offerings use the affected OpenSSL 1.0.1. Cisco's web system itself is potentially unaffected, but not mentioned in the article.
developer: true
- site: Comodo
homepage: http://www.comodo.com/
blogpost: https://cardiac-surgery.github.io/evidence/comodo
developer: true
comment: Comodo avoid mentioning whether or not their own systems, through which certificates are ordered, were vulnerable, thus the lack of a ‘safe’ status. Also beware the “no-charge reissue policy” claim, as they do <em>not</em> claim no-charge for revoking the old certificate, which remains necessary and one reseller has reported problems trying to persuade Comodo to waive the fees for that.
- site: Dropbox
homepage: https://dropbox.com
blogpost: https://twitter.com/dropbox_support/status/453673783480832000
safefrom: 2014-04-08
consumer: true
comment: "Quick update on #heartbleed: We’ve patched all of our user-facing services & will continue to work to make sure your stuff is always safe."
- site: Evernote
homepage: https://evernote.com/
blogpost: http://blog.evernote.com/blog/2014/04/10/evernote-service-unaffected-openssl-bug/
unaffected: true
consumer: true
comment: “Evernote does not use, and has not used, OpenSSL”
- site: F5
developer: true
blogpost: http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html
comment: F5 sell loadbalancers, which go in front of servers and act as the server-side end-point for TLS (HTTPS); F5 have strong market share; some models, in some versions, are vulnerable.
- site: Facebook
hidden: true
consumer: true
- site: Fitbit
homepage: https://www.fitbit.com/
blogpost: https://help.fitbit.com/customer/portal/articles/1511991
safefrom: 2014-04-08
comment: no mention of revocation of old certs, but otherwise a near ideal response
- site: GitHub
homepage: https://github.com/
blogpost: https://github.com/blog/1818-security-heartbleed-vulnerability
safefrom: 2014-04-08
consumer: true
developer: true
- site: GoDaddy
homepage: http://www.godaddy.com/
blogpost: http://godaddyblog.com/open-ssl-heartbleed-weve-patched-servers/
safefrom: 2014-04-09
developer: true
comment: Certificate Vendor; portal vulnerability, if you purchased your certificate from GoDaddy, then you should re-key, even if your own systems were unaffected.
- site: Google, Inc
homepage: https://www.google.com/
blogpost: http://googleonlinesecurity.blogspot.com/2014/04/google-services-updated-to-address.html
safefrom: 2014-04-09
comment: most consumer services you're likely to use were fixed by that safe-date; see the blogpost for more details. You probably need to also cycle "Application-specific passwords".
consumer: true
developer: true
- site: Heroku
homepage: https://www.heroku.com/
blogpost: https://status.heroku.com/incidents/606
safefrom: 2014-04-09
developer: true
comment: Note that this status only describes safety of services provided by Heroku for customer, not Heroku.com's own SSL certs for changing your passwords. Timestamp for that still unknown.
- site: IFTTT
homepage: https://ifttt.com
consumer: true
safefrom: 2014-04-09
blogpost: https://cardiac-surgery.github.io/evidence/ifttt
comment: Passwords should be reset based on the email that was sent.
- site: Kato
homepage: https://kato.im/
consumer: true
safefrom: 2014-04-14
blogpost: https://cardiac-surgery.github.io/evidence/kato
comment: "Correct response: clearly communicated that OpenSSL was fixed, that new keys were generated and old certs were revoked. This is how everyone should do it."
- site: Leap Motion
homepage: https://leapmotion.com
consumer: true
safefrom: 2014-04-10
blogpost: https://cardiac-surgery.github.io/evidence/leap-motion
comment: Passwords should be reset based on the email that was sent. "Airspace" is potentially effected.
- site: LinkedIn
hidden: true
consumer: true
- site: MSN
hidden: true
consumer: true
- site: Opbeat
homepage: https://opbeat.com/
blogpost: http://blog.opbeat.com/posts/amateur-hour-at-aws/
developer: true
comment: blog post tracks what they saw from one of their providers, but they haven't communicated to their own customers the status of changing keys
- site: Orchestrate
homepage: https://orchestrate.io
consumer: true
safefrom: 2014-04-09
blogpost: https://cardiac-surgery.github.io/evidence/orchestrate
comment: Passwords and API keys should be reset based on the email that was sent.
- site: Pinterest
homepage: https://pinterest.com
consumer: true
blogpost: https://help.pinterest.com/en/articles/was-pinterest-impacted-heartbleed-issue
comment: Help center suggests users reset their passwords. However the post makes no mention of certs being revoked, or even rotated.
safefrom: 2014-04-09
- site: Prgmr
homepage: http://prgmr.com/xen/
blogpost: http://blog.prgmr.com/xenophilia/2014/04/update-on-the-heartbleed-situa.html
developer: true
unaffected: true
- site: RapidSSL
homepage: https://www.rapidssl.com/
blogpost: https://cardiac-surgery.github.io/evidence/rapidssl.md
developer: true
comment: RapidSSL avoid mentioning whether or not their own systems, through which certificates are ordered, were vulnerable, thus the lack of a ‘safe’ status. Much like Comodo, RapidSSL carefully claim “Replacements are free for the lifetime of the certificate” but do <em>not</em> make this free claim for the cost of revoking the old certificate.
- site: Yahoo, Inc
hidden: true
consumer: true
- site: Twitter, Inc
homepage: https://twitter.com/
blogpost: http://status.twitter.com/post/82109064906/ssl-security-update
unaffected: true
comment: Twitter assert that they were never affected by this
consumer: true
- site: VMware
homepage: https://vmware.com/
blogpost: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2076225
comment: Unlike various certificate authorities, VMware is being honest. However almost all of the recent product offerings use the affected OpenSSL 1.0.1 that are in the current offering. VMware's web system itself is potentially unaffected, but not mentioned in the article.
consumer: true
developer: true