And this is from the horse's mouth, so to speak:
FileMaker products and the Heartbleed bug (on FileMaker's website)
"FileMaker Pro 13 and FileMaker Pro 13 Advanced are vulnerable only when using the following features and connecting to a non-FileMaker server via a SSL connection which may have been otherwise compromised: Insert from URL; Send Mail via an SMTP Server; Import XML from a remote server."
For what it's worth, none of the client databases that we have hosted at Point in Space are, at this time, using any of those features.
Quick followup to previous post about the Heartbleed vulnerability in OpenSSL.
First, the original release of FileMaker Server 13.0 was potentially vulnerable. FileMaker Inc has released FileMaker Server 13.0v1, which fixes the problem. If you're running FileMaker Server, you should get this update immediately, especially if you're server is open to remote connections.
The premium hosting service that we recommend to all our clients is Point in Space. They've been running FileMaker Server 13, but their servers — and thus their clients' databases — were not affected by Heartbleed, because Point in Space's servers use stock installations of Mac OS X or OS X Server, and these operating systems use a build of OpenSSL that does not have the Heartbleed bug. So, a little good news there.
Are you thinking that the two previous paragraphs seem irreconcilable? They're not. In order for your database server setup to be at risk of leaking sensitive info because of the Heartbleed bug, at least two conditions have to be met:
Standard builds of Mac OS X and Mac OS X Server aren't affected by Heartbleed not because OS X is so intrinsically wonderful, but because those versions of the Mac OS don't install the vulnerable build of OpenSSL. On the other hand, it's possible to install the buggy build of OpenSSL even in Mac OS X via MacPorts or Homebrew.
One last point for ordinary users. Don't misunderstand this news about Mac OS X and X Server: This means that machines running standard installations of Mac OS X and acting as https servers aren't going to "leak" info to incoming connections due to Heartbleed. But Heartbleed is a bug that affects servers. If your computer is one of the 99% of the world's computers that's just an ordinary workstation, Heartbleed isn't an issue for your machine regardless of the operating system it's running — Heartbleed still might be an issue for the servers used by your bank or your online merchant accounts, etc. The fact that your home is a fortress says nothing about the security of the money you have in the vault at your local bank.
At any time in the last two years, have you sent a credit card number to an online retailer? Used Gmail? Logged into your bank account's website? Uploaded your tax return to the IRS? If you answered yes to any of these questions, you could already be screwed. Welcome to the future.
The Internet's been hit by a serious bug. A very serious bug. It's called "Heartbleed" and you need to be at least a little worried about it. It affected Google, Yahoo, your bank, and an awful lot of the other sites that you were absolutely confident were secure.
What is it? Well, there's a website about it — The Heartbleed Bug — but instead I suggest that you start by reading completely the article over at Tidbits by Adam Engst: "The Normal Person's Guide to Heartbleed Vulnerability." Best thing I've read anywhere, although this xkcd comic explains the basic problem pretty well.
Although the bug's been there for two years, the world at large only became aware of it in the last day. I learned about it today by email from AgileBits, the geniuses that make 1Password. 1Password is the password protection program that I have recommended to my clients for a while now. There's a post on their blog about Heartbleed.
Heartbleed: Imagine no SSL encryption, it’s scary if you try
What do you do?
That seems to be a bit tricky.
Adam Engst advises doing nothing, unless you know both (a) that such-and-such a site was compromised and (b) that that site's vulnerability has been fixed. Otherwise, says Engst, changing your password could be worse than not changing it. Why? Because the vulnerability is exploiting info that is in the memory of (ahem) "secure" servers. It's my understanding that the info that "bleeds" out when the bug is triggered is recent info.
I am definitely not an expert in this field, but my sense is, accounts that use two-factor authentication should be pretty safe. And you should be using two-factor authentication whenever possible. I use it on my bank accounts, most of my credit cards, on all my Google accounts, Flickr/Yahoo, Dropbox, and elsewhere.
But I'm using a Mac!
Doesn't matter, much. This is an Internet bug, not a desktop OS bug. Apple's web services apparently were not compromised, because they don't use the version of SSL that has the Heartbleed bug. But if you open up Safari and log into your bank, you may be vulnerable even if you're sitting at your Mac and wearing your bicycle helmet.
The bottom line is: Start paying attention to your accounts. Enable two-step authentication on your important accounts, if you haven't already. Several years ago, my very first Gmail account was taken over — and I never was able to recover it. Very recently, my bank (Chase) noticed that somebody was trying to use my debit card in North Carolina, while my wife and I were in San Diego. In the case, Chase's security measures caught the malefactor and no harm was done, well, other than my having to be without a debit card for five days while they mailed me a new one.
I love this quote over at Ars Technica by Troy Hunt, who is an expert in this field: "Ultimately, this boiled down to a very simple bug in a very small piece of code that required a very small fix.… Now it just needs to be installed on half a million vulnerable websites."
By the way: The Canadian Revenue Agency has shut its sites down, but here in the US, the IRS says that it's not affected by Heartbleed. You can believe them if you want to. Call me paranoid but I may mail my return this year for the first time in a while.
"Ultimately, this boiled down to a very simple bug in a very small piece of code that required a very small fix.… Now it just needs to be installed on half a million vulnerable websites." (Security expert Troy Hunt, quoted at Ars Technica)