David Ashby

Heartbleed

On Monday, April 7th, a major bug in the popular SSL library OpenSSL was announced, generally known as Heartbleed. The vulnerability, in a nutshell:

Without using any privileged information or credentials we were able to steal the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

Kindling uses OpenSSL on our servers for HTTPS connections, and as soon as the vulnerability was announced we began working to mitigate our exposure by upgrading our versions of the affected libraries and invalidating any secure keys that might have been leaked. Our hosting provider, Amazon Web Services, also quickly moved to prevent exploitation of the vulnerability within their infrastructure.

We have no evidence that any malicious parties took advantage of this vulnerability while it was active on our servers. Due to the widespread use of the vulnerable library, however, it's possible that other sites on the internet were compromised, leaking usernames and passwords.

As The New York Times' Bits Blog points out, the best course of action for users is to update your passwords on sites after they've announced that they're secure against the vulnerability. Good password hygiene should also include not reusing passwords on multiple sites, so consider investing in a product such as 1Password or LastPass to generate one-off passwords per site, as opposed to reusing the same password across multiple applications.