Two weeks after the discovery of the Heartbleed bug we’re still actively monitoring the situation and fixing systems that might be at risk. After updating software and certificates, we believe that our systems are no longer vulnerable to Heartbleed. We maintain a detailed list of the corrective actions we've taken in our support forum.
We are also planning to test our users' systems—particularly Globus endpoints that are running Globus Connect Server, and identity providers running MyProxy and OAuth servers—and will notify endpoint owners if we find that their systems are still vulnerable. If you're the administrator of such a system you may notice our testing activity in your network logs. Our test program probes servers with requests that exploit the bug. In order to minimize exposure of sensitive data, we send a packet to the server requesting just two bytes of data. Testing takes place from Amazon EC2, but not from our existing servers, so we may not detect exposed servers which are protected from untrusted parties by firewall rules.
As a precautionary measure, we're also encouraging users to change the password on their Globus account(s): www.globus.org/account/ChangePassword. Please feel free to contact us if you have any questions related to our handling of Heartbleed.