Watchful hardened against Heartbleed vulnerability
Friday, 11 April 2014 / Blog
As many of you have likely heard, an incredibly serious and widespread security vulnerability was recently reported in OpenSSL, an important cryptographic software library used on many servers.
OpenSSL is used to secure large swaths of internet communications and thus the Heartbleed weakness allows attackers to eavesdrop on communications, steal data directly from services and users and to impersonate services and users (learn more at heartbleed.com).
Thankfully, the global response to Heartbleed has been robust and if you recently found yourself unexpectedly logged out of services, it’s likely due to Heartbleed patches.
Watchful is not vulnerable to Heartbleed
From the day we opened our doors, the entire Watchful experience has been delivered via an SSL connection. Despite some parts of our infrastructure being affected by Heartbleed, there is no evidence that any of your site details have been compromised in any way.
In fact, although the bug is quite serious, it is still very, very difficult to use in the real world.
Nonetheless, to ensure continued security, we carefully examined our infrastructure immediately following the Heartbleed announcement and patched any potential problems. Here’s what we did:
- Patched our servers to prevent any Heartbleed vulnerabilities
- Deleted the keys used when generating our Extended Validation SSL (EV-SSL) Certificate
- Regenerated the keys and re-issued our EV-SSL
- Regenerated the self-signed certificates used for email, FTP, etc…
- Changes access passwords on our servers
- Regenerated the API keys for our payment provider
- Changed the account passwords for our payment provider
Note: we also use PayPal for payments, but this service was not affected by Heartbleed so no updates were required.
What else are you doing for security?
Two-factor authentication is a popular feature request. We have had this in R&D for sometime and plan to launch it next week.
Should I be doing anything else?
All web site owners should test their sites and servers for susceptibility to HeartBleed. This can be done easily at filippo.io/Heartbleed/.
If you find that your site is vulnerable, contact your service provider or IT department immediately.
For good measure, you should also change your passwords all your online services, including Watchful.