"is not affected" being the operative wording. users want to know if their data has ever been at risk. still, surely everyone can just assume it was affected, act accordingly, and move on?
Or more likely, they were using software or hardware that was not affected by Heartbleed, and so were not at risk. Saying so would narrow down the infrastructure they are using though, and for a target like Mint, they would likely want to avoid explicitly saying so. Not going to stop a determined hacker, but it may stop the script kiddies with a downloaded toolkit.
After a small amount of research, it looks like they run Java webservers, along with (or on?) F5 Big-IP platforms, with the later likely providing hardware SSL decryption that isn't vulnerable to Heartbleed (mostly, apparently there were some vulnerabilities in certain configurations where it would fall back to Open-SSL.) The way Java webserver allocates memory is also different that the typical Apache/Linux server, so it is unlikely that even if the server was vulnerable that a hacker would actually be able to pull any data of any value from the chunks they could get.
I don't profess to be an expert on server security or the F5 Big-IP platform, but my point is, it would appear that there is no reason to not believe Mint when they say they investigated and have no reason for concern.
Except "is not affected" is exactly what you'd say if you were running software that wasn't, and still isn't vulnerable (because you didn't have to patch anything).
Except in this case, seeing as it seems that Mint hasn't got new ssl certs or private keys, the only way to 'act accordingly' is to never use the service again.
ah, right. i didn't consider that their private key could have been leaked if they were once vulnerable (i was only considering passwords and the like). good point, thanks!
After a small amount of research, it looks like they run Java webservers, along with (or on?) F5 Big-IP platforms, with the later likely providing hardware SSL decryption that isn't vulnerable to Heartbleed (mostly, apparently there were some vulnerabilities in certain configurations where it would fall back to Open-SSL.) The way Java webserver allocates memory is also different that the typical Apache/Linux server, so it is unlikely that even if the server was vulnerable that a hacker would actually be able to pull any data of any value from the chunks they could get.
I don't profess to be an expert on server security or the F5 Big-IP platform, but my point is, it would appear that there is no reason to not believe Mint when they say they investigated and have no reason for concern.