OpenSSL is a tool used to encrypt traffic on the Internet — it’s the reason you use https not http for secure browsing. Yesterday a vulnerability was discovered in OpenSSL (the industry is referring to it as the Heartbleed bug). This is not specific to Wave; it’s a widespread vulnerability and has affected a large majority of the Internet’s secured sites using certain versions of OpenSSL. More details are available here: heartbleed.com

We have confirmed that the Wave tools have not been directly impacted -- in other words, the version of OpenSSL Wave uses did not include the Heartbleed vulnerability. However, we will continue to investigate whether any third-party service providers may have been impacted, and what the resulting impact on Wave customers might be.

We will provide updates as more news becomes available.

We recommend strong caution in using secure sites for the next couple of days while companies update their systems to fix their own OpenSSL vulnerabilities.

More details about this vulnerability

This vulnerability is being referred to in the industry as Heartbleed. In its theoretical worst form:

  • it could permit bad actors to impersonate a site you’re trying to access, while still showing you that green https lock in your browser

  • the bad actors would leave no trace that they had exploited the vulnerability

This vulnerability has existed in certain versions of OpenSSL for a couple of years, but wasn’t discovered / disclosed to the general public until yesterday (April 7).

What is Wave doing?

As mentioned above, Wave was not using a vulnerable version of OpenSSL, and therefore Wave was not directly affected.

We will continue to investigate the matter thoroughly until its full impact is known, and will work with partners like our hosting provider to proactively update security measures.

As we do so, your sessions in Wave may be interrupted for brief moments and you may be forced to log back in. I trust you will agree that this inconvenience is for the sake of maintaining optimal security, and that the hassle is well worth the peace of mind.

What should you do?

We will update you on any further actions that you may need to take regarding your use of Wave. At this time, there are no actions needed.

As for your use of other Internet sites and services, watch for messaging similar to this from those organizations. Once you’re confident that they’ve handled the problem, change your password credentials and clear your cookies. It’s important to do this after they have given you the all-clear. Changing your passwords beforehand will mean they may again be exposed before the all-clear is given.