Yesterday, OpenSSL published a security advisory. While the advisory itself sounds rather benign, the implications of being able to read 64kB of server process memory are horrifying. Heartbleed.com describes them in detail. That memory can contain session secrets, form POST data (including passwords before they’re hashed), and even the server’s private key.
Here’s what we did to protect you:
- We patched our servers within an hour of the vulnerability being announced to the public.
- We immediately contacted our certificate authority to revoke our old certificate and create a new one.
- We cleared existing sessions from our database.
More important than our reaction, was our preparation. Our security practices paid off. We only use cipher suites with perfect forward secrecy, meaning that even if someone managed to get our private key, they would not be able to decrypt past communications. Similarly, our admin interface requires multi-factor authentication. An attacker who intercepted one of our passwords would still need one of our YubiKeys to view or modify your data.
Considering the severity of this vulnerability, I’m satisfied with both our preparation and response. We acted quickly and did everything possible to mitigate the impact. Most of the six-hour delay in re-keying was spent waiting on our CA, as they were inundanted with requests to revoke and issue certificates.
That said, we realize that security is a process; we’ll never be done with it. We’ll continue to cultivate the mindset of an attacker as we build Floobits.