09 Apr 2014 - Münster (by Dominik)

The Heartbleed Bug (CVE-2014-0160)

Heartbleed Bug

On April 7, 2014 at about 17:30 UTC, security researchers announced a serious bug in the OpenSSL software. OpenSSL is the most popular open source cryptographic library and Transport Layer Security (TLS) implementation used to encrypt traffic on the Internet. Regardless if you are browsing the web, using online banking, sending and receiving emails, chatting, connecting to your office via a Virtual Private Network (VPN) or logging in to your fancy new internet connected teapot, there's a huge chance that OpenSSL is taking care of an encrypted connection for you.

The discovered vulnerability (CVE-2014-0160 also colloquially known as 'The Heartbleed Bug') allows an attackers to retrieve chunks of secure communications and in the worst case even the secret keys used for encrypting the data and identifying the service provider.

On the scale of 1 to 10, this is an 11. - Bruce Schneier

Heartbleed and fruux

No evidence that data was compromised

When information about the bug became public on April 7, we've immediately started analyzing the vulnerability by attacking our own servers. We've discovered that our load balancers (systems that take care of splitting up requests to multiple backend servers) were vulnerable, but we have no indication that any data was compromised. While attacking our own systems, we couldn't exploit the vulnerability to gain access to our private keys.

Additional security via Perfect Forward Secrecy (PFS)

We're also using Perfect Forward Secrecy (PFS) since a while which protects past communications from retrospective decryption even if our keys were compromised - which we have no evidence for and also couldn't get access to attacking our systems ourselves.

What actions have been and should be taken?

We prefer to be better safe than sorry and that's why we've replaced all of our private keys and SSL certificates after the vulnerability was mitigated on April 8, 2014 anyway. We have an A+ rating in the Qualsys SSL Server Test. Don't take our word for it - check it yourself. Regardless, it's always good practice to change your passwords from time to time - looking at the Heartbleed bug we recommend that you take from time to time as now and change your password.

What about other services?

OpenSSL is so widely used, that there is a huge chance that other services you are using have been affected by the Heartbleed bug. Before logging in anywhere, we strongly recommend to check if the vulnerability has been mitigated and if the service has replaced its private keys and SSL certificates as a security measure. Tools such as Qualsys SSL Server Test, Heartbleed test or the bleed command line tool can be used to test servers for the vulnerability. If the service you are testing is not vulnerable and you are sure that private keys and SSL certificates have been replaced, you should change your passwords there, too.

About Dominik

Dominik started fruux back in 2007. He's a lawyer that writes code and has Amazon subscriptions for stuff that normal people buy in the supermarket. Follow him on Twitter or contact him via e-mail.

fruux is a free service that looks after your contacts, calendars and tasks so you don't have to. It makes sure that they are always in sync, no matter which device or operating system you're using. If you've not tried it yet, then why not check us out and let us know what you think! And if you're already using fruux, then we'd love to hear your thoughts and comments. You can also suggest a feature for any upcoming releases or tweet us: @fruux.