OpenSSL usage on OSS-hosted and managed sites and Heartbeat vulnerability question.
Heartbeat vulnerability is an exploit within OpenSSL, an open-source implementation of the SSL and TLS protocols.
Off-Site Services, Inc. (OSS) does not use OpenSSL certificates on any of the sites it hosts and manages. OSS uses OpenSSL to generate CSR public key containing non-sensitive information about the site, and a private key, which is not distributed to anyone outside OSS. This information is then used to generate and purchase an SSL certificate from one of the major SSL providers, such as Thawte, Verisigin, or Geotrust.
As of 4/9/14, all required patches and updates were applied to OpenSSL on all servers managed and hosted by OSS. However, on 4/10/14, Symantec issued an update to their advisory, suggesting that all existing certificates are replaced and re-keyed (http://www.symantec.com/connect/blogs/heartbleed-openssl-take-action-now).
In light of this new advisory, we suggest all of our customers currently hosting their sites with OSS or having OSS manage their site replace their SSL certificates. Please contact your OSS representative if you require a new CSR key.