Heartbleed FAQ
First of all, we should dispel some FUD.
- This can really only be used by someone targeting your server, by the time this was resolved there was no automated/widespread scanning/exploiting of this vector.
- We have heuristics in place to detect anomalies with account access utilizing the last login IP address that should detect if we are targeted.
- We host on Heroku still - and they responded immediately - we were patched before main stream news picked this up.
- We utilize the services of Cloudlfare in front of our app servers and they were part of the team that knew before it was publicly disclosed and had already been patched.
- The attack vector means the attackers were able to get tiny pieces of memory (64k max) out of the server ram, and basically store all of it as blobs and have to figure out how to piece it back together to become something useful.
- A main worry had always been the SSL keys becoming compromised. The attack vector for this is basically a fake domain using your certificate, or a man in the middle attack - either of these are difficult to use and would mean you are a serious target. At that point you would have many other things to worry about.
- Heroku: https://status.heroku.com/incidents/606
- CloudFlare: http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities
We do plan to re-issue our SSL certificate in the coming week or so just to take extra precautions. We have multiple levels of extremely modern security in place and we have not detected any anomalies in access to the system at any point.