April 10, 2014
The Heartbleed bug is a vulnerability in OpenSSL that was disclosed on Monday night, April 7th (CEST). OpenSSL is a very popular cryptographic software library. Approximately two thirds of all servers use it to encypt Internet traffic. The Heartbleed weakness could have been exploited by attackers to eavesdrop on communications, steal data, and compromise secret keys of SSL certificates.
Here at mite, we used and are using OpenSSL, too. Today, we want to tell you in detail how we reacted to Heartbleed, when, and which actions we took to secure your data. This information comes a little late. We are sorry about that. On the technical side, we were so much faster! You could rely on us, and you can rely on us in the future, too.
- We learned about Heartbleed on Tuesday morning, 9:20am.
- As soon as a security patch was available for our systems, we started to install them. At 12:02am, all of our servers were successfully patched.
- As a measure of precaution, we requested a new SSL certificate with new keys. We rebooted all servers. Since 12:24am, they use the new certificate. As the certificate was re-issued by DigiCert Inc, you won’t see this new validation date, don’t let this fool you.
- We changed all of our passwords on all systems.
- Tonight, we will invalidate all cookies. You will have to log-in again.
Better safe than sorry, so please change your passwords for mite, too. Click on your user name in the upper right-hand side to do that.
OpenSSL is widespread, and Heartbleed thus affected lots of services. Please think about changing your password for other services, too, especially webmail services. You can check whether or not a service is patched thanks to services such as this one. If so, check if the certificate is a new one, or ask if it was re-issued. Then, change your password.
Thanks for your attention. Now back to work!