Comments on: Heartbleed: A Note From Wufoo

By: Nabeal T.

Nabeal T. — Fri, 18 Apr 2014 16:39:47 +0000

This posting reveals vulnerability in a technology called Open SSL that powers encryption across most of the Internet. The vulnerability is generally known as the “Open SSL Heartbleed Flaw.” Although wufoo customers don’t have to worry about this vulnerability, they should still reset their passwords. Search for employment applications at Granted and secure a position at a great company.

By: Earl

Earl — Wed, 16 Apr 2014 23:25:19 +0000

Your guys seriously need to update your SSL certificates. Telling your users to change their password is almost moot point if someone was able to get your private keys and certificates. That means they could the new read account credentials as it passes through your questionably “secure” encryption login service.

https://lastpass.com/heartbleed/?h=wufoo.com

wufoo.com
Server software: Not reported
Was vulnerable: Possibly (might use OpenSSL, but we can’t tell)
SSL Certificate: Possibly Unsafe (created 1 year ago at Apr 15 03:44:19 2013 GMT) Additional checks SSL certificate history checks yielded no new information
Assessment: It’s not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.

By: Mark

Mark — Mon, 14 Apr 2014 19:53:47 +0000

Ditto what Kurt said. "Any exposure that might have existed" is super ambiguous. Does wufoo's infrastructure use OpenSSL? If yes, please explain the specific vulnerabilities that did exist.

By: alan

alan — Mon, 14 Apr 2014 19:29:36 +0000

Was wufoo using Open SSL at any time/????

By: Kurt Ashley

Kurt Ashley — Mon, 14 Apr 2014 17:52:38 +0000

I understand that wufoo may not be vulnerable to Heartbleed now, but was it ever? If so, will you issue a new certificate for *.wufoo.com to ensure security? It doesn't do us much good to change passwords if someone has captured the private key for your certificate and you don't replace that certificate.