What is unclear about the response: "As indicated, our engineers have verified Mint is not affected by "Heartbleed." Password resets and re-issuing of SSL certificates are not required at this time."
It seems that they are saying either (a) they are not using OpenSSL, or (b) they were using a version of OpenSSL without the vulnerability. Is there anything wrong with assuming that given their statements?
"is not affected" being the operative wording. users want to know if their data has ever been at risk. still, surely everyone can just assume it was affected, act accordingly, and move on?
True, but people tend to take security in a very strict manner. (With just cause.) The mod could have said, "was not affected", but instead and using improper word use, said "is not affected[sic]". Someone can correct me if I'm wrong, but I believe the proper use is either, was not affected or is not effected, not some combination of the two. The true point is, the statement is inherently unclear as to when, much more so when you introduce faulty word use.
> You say there's no evidence that customer data was affected, but the heartbleed bug leaves no logs, so that is not re-assuring at all
Well, if they're looking for people making use of the data received by the exploit that is re-assuring..
> You've said before that Mint servers are being updated, which suggests that it was exposed. If this is the case, have you gotten new SSL certificatess? (this is extremely important see next point)
Almost everyone was exposed. I'd like to know they have a new ssl cert too but not because of why you want them to.
> Even if I take a personal precaution and change my Mint and bank account passwords, if a hacker stole your cert at any time and you haven't gotten a new one, all my accounts are STILL vulnerable no matter how many times I change the password. This is because they basically have a permanent back door into Mint until you get a new SSL cert.
No, no they don't I don't think you understand ssl at all.
> Basically, if you don't answer the following questions, we have no choice but to STOP USING MINT FOREVER in order to secure ourselves. 1. Was Mint EVER vulnerable to the heartbleed bug (which has existed for 2 years) 2. If so, has the SSL cert been revoked and a new one acquired?
Good, stop using it, you're taking up security analyst resources to answer your stupid questions instead of letting them make sure everything is solid.
The latest (and final) response Mint gave, 2 hours after this hit the HN front page, is: "I'm terribly sorry for the delay in circling back to this topic. I can confirm that Mint was using a version of OpenSSL that was never vulnerable to Heartbleed."
Seems cleared up. Goes to show yet again, due to the massive traffic it causes, HN continues to be useful as a customer complaint center for egregious cases...
The absence of a clear response indicates to me that the brass is currently weighing the pros and cons of admitting there was a problem. This is the sort of thing where those who really weren't affected get way out ahead of this sort of thing with vivid detail. I deleted my account.
That's probably not a great idea - it just instantly confirms them as a viable future target if a bug in that particular version comes up with a hole in it later.
I'm personally okay with "We were not affected by the bug" - random internet people shouldn't have details on the software your company runs internally. One more thing for a potential bad guy to exploit.
Besides, if they'd be willing to lie about being affected, they'd be willing to lie about using a particular version of software, so nothing gained anyways.
I still get email from Mint time to time but I've disconnected my bank account. It just didn't feel right, giving away such a crucial information when the local bank already provides means to check your financials. Do I really need to know minute by minute my spendings? Am I spending so fast and so much that I have to watch for my account being emptied on a third party app that is granted access to such intimate data?
[+] [-] Eyas|12 years ago|reply
It seems that they are saying either (a) they are not using OpenSSL, or (b) they were using a version of OpenSSL without the vulnerability. Is there anything wrong with assuming that given their statements?
[+] [-] catshirt|12 years ago|reply
[+] [-] pgrote|12 years ago|reply
As a site that has access to financial records, I would expect them to explain in detail why they aren't affected and if they were ever vulnerable.
For instance, if they are using IIS (I know, I know) it would be an easy answer.
The fact they are not explaining clearly and in detail leads me to believe that there is/was something amiss.
The transparency expectation of them is greater.
[+] [-] headShrinker|12 years ago|reply
[+] [-] mpalmer|12 years ago|reply
[+] [-] tghw|12 years ago|reply
[+] [-] tszming|12 years ago|reply
[+] [-] LocalPCGuy|12 years ago|reply
[+] [-] lugg|12 years ago|reply
> You say there's no evidence that customer data was affected, but the heartbleed bug leaves no logs, so that is not re-assuring at all
Well, if they're looking for people making use of the data received by the exploit that is re-assuring..
> You've said before that Mint servers are being updated, which suggests that it was exposed. If this is the case, have you gotten new SSL certificatess? (this is extremely important see next point)
Almost everyone was exposed. I'd like to know they have a new ssl cert too but not because of why you want them to.
> Even if I take a personal precaution and change my Mint and bank account passwords, if a hacker stole your cert at any time and you haven't gotten a new one, all my accounts are STILL vulnerable no matter how many times I change the password. This is because they basically have a permanent back door into Mint until you get a new SSL cert.
No, no they don't I don't think you understand ssl at all.
> Basically, if you don't answer the following questions, we have no choice but to STOP USING MINT FOREVER in order to secure ourselves. 1. Was Mint EVER vulnerable to the heartbleed bug (which has existed for 2 years) 2. If so, has the SSL cert been revoked and a new one acquired?
Good, stop using it, you're taking up security analyst resources to answer your stupid questions instead of letting them make sure everything is solid.
[+] [-] epaga|12 years ago|reply
Seems cleared up. Goes to show yet again, due to the massive traffic it causes, HN continues to be useful as a customer complaint center for egregious cases...
[+] [-] err4nt|12 years ago|reply
[+] [-] deelowe|12 years ago|reply
[+] [-] adamrneary|12 years ago|reply
[+] [-] sadris|12 years ago|reply
[+] [-] jameshk|12 years ago|reply
[+] [-] Karunamon|12 years ago|reply
I'm personally okay with "We were not affected by the bug" - random internet people shouldn't have details on the software your company runs internally. One more thing for a potential bad guy to exploit.
Besides, if they'd be willing to lie about being affected, they'd be willing to lie about using a particular version of software, so nothing gained anyways.
[+] [-] notastartup|12 years ago|reply
[+] [-] the_ancient|12 years ago|reply
Go try to read some some of their dev docs.... I do not believe anyone in the company can give clear and concise responses to anything.
[+] [-] KB1JWQ|12 years ago|reply
[+] [-] uptown|12 years ago|reply