[Eyas]

What is unclear about the response: "As indicated, our engineers have verified Mint is not affected by "Heartbleed." Password resets and re-issuing of SSL certificates are not required at this time."

It seems that they are saying either (a) they are not using OpenSSL, or (b) they were using a version of OpenSSL without the vulnerability. Is there anything wrong with assuming that given their statements?

[catshirt]

"is not affected" being the operative wording. users want to know if their data has ever been at risk. still, surely everyone can just assume it was affected, act accordingly, and move on?

[LocalPCGuy]

Or more likely, they were using software or hardware that was not affected by Heartbleed, and so were not at risk. Saying so would narrow down the infrastructure they are using though, and for a target like Mint, they would likely want to avoid explicitly saying so. Not going to stop a determined hacker, but it may stop the script kiddies with a downloaded toolkit.

After a small amount of research, it looks like they run Java webservers, along with (or on?) F5 Big-IP platforms, with the later likely providing hardware SSL decryption that isn't vulnerable to Heartbleed (mostly, apparently there were some vulnerabilities in certain configurations where it would fall back to Open-SSL.) The way Java webserver allocates memory is also different that the typical Apache/Linux server, so it is unlikely that even if the server was vulnerable that a hacker would actually be able to pull any data of any value from the chunks they could get.

I don't profess to be an expert on server security or the F5 Big-IP platform, but my point is, it would appear that there is no reason to not believe Mint when they say they investigated and have no reason for concern.

[__david__]

Except "is not affected" is exactly what you'd say if you were running software that wasn't, and still isn't vulnerable (because you didn't have to patch anything).

[gelatocar]

Except in this case, seeing as it seems that Mint hasn't got new ssl certs or private keys, the only way to 'act accordingly' is to never use the service again.

[LocalPCGuy]

Or they were never vulnerable, which is likely given what has been dug up about their tech stack.

[catshirt]

ah, right. i didn't consider that their private key could have been leaked if they were once vulnerable (i was only considering passwords and the like). good point, thanks!

[pgrote]

I think there is something wrong with it.

As a site that has access to financial records, I would expect them to explain in detail why they aren't affected and if they were ever vulnerable.

For instance, if they are using IIS (I know, I know) it would be an easy answer.

The fact they are not explaining clearly and in detail leads me to believe that there is/was something amiss.

The transparency expectation of them is greater.

[LocalPCGuy]

It looks like they are running Java servers on F5 Big-IP platform(s). I tend to believe it when they say they aren't vulnerable, and understand why they would not want to say any more about their architecture than they have to.

[ams6110]

Why do they have access to your financial records? Because you gave them the password to your bank account. The consequences of that action were only a matter of time.

[headShrinker]

True, but people tend to take security in a very strict manner. (With just cause.) The mod could have said, "was not affected", but instead and using improper word use, said "is not affected[sic]". Someone can correct me if I'm wrong, but I believe the proper use is either, was not affected or is not effected, not some combination of the two. The true point is, the statement is inherently unclear as to when, much more so when you introduce faulty word use.

[judk]

Proper use is to communicate abundant details to remove any ambiguity in phrasing.

[LocalPCGuy]

Not when you run a service that is a very hot target, in that case, you give as few details as possible to make sure the attack spectrum is as large as possible.

[mpalmer]

I think their issue is that "is not affected" implies the present moment, and makes no claims about possible exposure in the past.