Security Update: Heartbleed OpenSSL vulnerability

UPDATE: 2014-04-16 We have confirmed that all of the old certificates have been added to the Certificate Revocation List (CRL) provided by certificate issuer by April 15th 8:38 

On April 7th, a critical vulnerability in the widely used cryptography library OpenSSL, was reported. 

This vulnerability, known as Heartbleed, allows an attacker to steal private information stored on our services from the outside.

What we’re doing for the issue

Soon after we have noticed the issue, we started to protect our services and the websites we’re maintaining.

As of  April 8th 14:00 (UTC), we’ve completed patching the affected versions of OpenSSL on all of our servers. We have also confirmed that the affected load balancer provided by Amazon Web Services that we are employing in some of our services had been fixed on April 9th 0:00 (UTC). For AWS’s update on this issue, see here.

So far, we’ve not detected any attacks against our services. However, it is known that the nature of this vulnerability makes any detection difficult. Therefore, we have decided to update the SSL certificates used in all of our services and have completed it on April 9th 4:00 (UTC).  Old certificates will be revoked by certificate issuers.

In addition, we plan to reset all auto log in information created before April 9th on each of our service. Some of you may have to re-sign in to our services.

Although we have ran the necessary measures and ensured that we are no longer under threat using the SSL Server Test and some other tools, we will continue to monitor our services closely during this time.  

What you can do about it

To keep your information secure, we strongly recommend you to update your password on our services.  

If you’re using any of our service’s API,  re-issue the credentials for your applications.

If you’d like to know more details about what we have done on each of our services,  access the following inquiry forms  or user forum and drop us your questions there.

As mentioned in this post, we’ve installed the cipher suites supporting Perfect Forward Secrecy on our servers last August, which makes it impossible for an attacker to read old encrypted communication with a stolen encryption key. Such mitigation has also been adopted by services such as Twitter and GitHub. We will keep on updating our security system to ensure maximum safety on our services.  

Gain skills, learn strategies, move projects forward

Collaborate and bring your projects to life with Nulab

Learn more