It seems that they are saying either (a) they are not using OpenSSL, or (b) they were using a version of OpenSSL without the vulnerability. Is there anything wrong with assuming that given their statements?
After a small amount of research, it looks like they run Java webservers, along with (or on?) F5 Big-IP platforms, with the later likely providing hardware SSL decryption that isn't vulnerable to Heartbleed (mostly, apparently there were some vulnerabilities in certain configurations where it would fall back to Open-SSL.) The way Java webserver allocates memory is also different that the typical Apache/Linux server, so it is unlikely that even if the server was vulnerable that a hacker would actually be able to pull any data of any value from the chunks they could get.
I don't profess to be an expert on server security or the F5 Big-IP platform, but my point is, it would appear that there is no reason to not believe Mint when they say they investigated and have no reason for concern.
As a site that has access to financial records, I would expect them to explain in detail why they aren't affected and if they were ever vulnerable.
For instance, if they are using IIS (I know, I know) it would be an easy answer.
The fact they are not explaining clearly and in detail leads me to believe that there is/was something amiss.
The transparency expectation of them is greater.
I'm personally okay with "We were not affected by the bug" - random internet people shouldn't have details on the software your company runs internally. One more thing for a potential bad guy to exploit.
Besides, if they'd be willing to lie about being affected, they'd be willing to lie about using a particular version of software, so nothing gained anyways.
For instance, at my work, we very explicitly said that only two internal systems, our wiki and our issue tracking system, used that version of openssl. Those systems had no user data and had a different set of certs. It is essential to give details. http://blog.taximagic.com/heartbleed/
This is mint, for heavens sake, who do all kinds of contortions to downplay the fact that the whole service relies on the having all your passwords and banking details, instead of using their clout to push for sane Oauth-style access tokens for limited access to bank accounts.
Seems cleared up. Goes to show yet again, due to the massive traffic it causes, HN continues to be useful as a customer complaint center for egregious cases...
> You say there's no evidence that customer data was affected, but the heartbleed bug leaves no logs, so that is not re-assuring at all
Well, if they're looking for people making use of the data received by the exploit that is re-assuring..
> You've said before that Mint servers are being updated, which suggests that it was exposed. If this is the case, have you gotten new SSL certificatess? (this is extremely important see next point)
Almost everyone was exposed. I'd like to know they have a new ssl cert too but not because of why you want them to.
> Even if I take a personal precaution and change my Mint and bank account passwords, if a hacker stole your cert at any time and you haven't gotten a new one, all my accounts are STILL vulnerable no matter how many times I change the password. This is because they basically have a permanent back door into Mint until you get a new SSL cert.
No, no they don't I don't think you understand ssl at all.
> Basically, if you don't answer the following questions, we have no choice but to STOP USING MINT FOREVER in order to secure ourselves. 1. Was Mint EVER vulnerable to the heartbleed bug (which has existed for 2 years) 2. If so, has the SSL cert been revoked and a new one acquired?
Good, stop using it, you're taking up security analyst resources to answer your stupid questions instead of letting them make sure everything is solid.
Go try to read some some of their dev docs.... I do not believe anyone in the company can give clear and concise responses to anything.
