Take care. This article is likely outdated.

Heartbleed

Heartbleed - fortrabbit is patched

If you read about any news feed today, you probably have read about the Heartbleed Bug by now. This bug affected most of supposed-to-be-secure parts of the interwebs.

Summary

Heartbleed, aka CVE-2014-0160, is a vulnerability in the OpenSSL library. This library is utilized by many major open source server applications. Among those most web server implementations, about any IMAP/POP3 or SMTP server and a lot of VPN servers. The vulnerability was published in the night from yesterday. It allows attackers to misuse a TLS extension called heartbeat. Heartbeat is basically a keep-alive mechanism, which reduces the overhead of continuous TLS re-negotiation. The exploit: Attacker sends a bad heartbeat package. Server responds with 64KB of memory which it's not supposed to send. Now what those 64KB can contain is the problem. More on that later. A really good and detailed explanation can be found here.

Global impact

The issue is still hotly discussed all over the web and it will take probably some time before the first panic subsides and an in-depth analysis can take place. Currently, only the worst case scenario is repeated about everywhere. This worst case is: Stolen private (SSL) keys. Leaked sensitive data (eg in a mail server context, that might be login credentials). If that's true, it would mean for everybody offering SSL (whether hosted on fortrabbit or about everywhere else) to swap their SSL key immediately. Also change about any password you used all over the net… from ebay, to facebook, to lastpass, to — sadly — the fortrabbit dashboard.

How we were affected

As this bug affected the current stable versions of the OpenSSL library — we were affected as well. Our free SSL App URLs (https://your-app.eu1.frbit.net/) are implemented using NGINX, which uses the OpenSSL library. Also the ReSync tool was affected in the same way. We've patched our nodes, thanks to the very fast reaction of the Debian maintainers, throughout the night and at around ~5h (UTC), we closed the vulnerability on the last of our nodes. In addition: we're using Amazon's elastic load balancers (ELB) for custom domain SSL certificates. Amazon announced that those ELBs are (or were) affected. AWS is currently patching their whole infrastructure throughout the regions. By now most (all as far as we know) of the ELBs used by us are fixed.

What you should do

To give a good recommendation at this state is not really possible. Here is what we've done and you should do as well: Change all passwords, starting with critical ones (eg the fortrabbit dashboard, banking, mail, …). Change certificates: Better now then later. Be cautious whenever visiting any side using encryption (are they already patched?) in the next weeks. Calm down.

What brings the future

That's a big mystery. It mainly depends on how fast the different distributor will — and can — react. Especially in the context of hardware devices, for which vendors usually take longer to provide patches. And users take longer to implement them. From routers, to heaters, to mobile devices — there is a lot of bad potential out there. In any case: I'm sure that it's not yet over at all.

Share & discuss this: