Heartbleed Update
In the wake of the revelation of the Heartbleed bug in OpenSSL and the the posibilities for its exploitation to get certificate’s private key, we have been working around the clock to make sure we are fully secure.
This bug affects OpenSSL only and specifically versions 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1 and it is currently patched in version 1.0.1g.
Our infrastructure has some nodes that use Linux but they are not exposed to the web, and do not contain our SSL certificates. Even so, we do use Rackspace’s and Amazon’s Load Balancers which as it turns out are vulnerable. Interestingly enough when we first setup our infrastructure we decided to host our certificates in our web server images, instead of using the SSL termination in the load balancer. Since our web application is .Net based it is also hosted on Windows on IIS. This means that we are not vulnerable at all.
We planned to move our certificates to the Load Balancer in order to ease our image deployments. After this event, we are rethinking that strategy. It is interesting that we were unaffected by this by pure luck, since we were in the process of moving our infrastructure to a new engine (which we will talk more about later), we were also configuring SSL termination in the load balancer.
As of right now, you have nothing to worry about while using iKnode. We are not affected bythis bug at all. It is still recommended that you change your password for iKnode Management console.
If you want to check other sites to see if they are vulnerable to the bug, you can use any of the following:
- Heartbleed test (filipo.io)
- LastPass Heartbleed test (lastpass.com)
It seems that our great friends at Cloudflare have identified that this bug doesn’t leak the private key. We’ll keep you updated as more information is revealed.
If you have any questions or concerns, please don’t hesitate to contact us. We can be reached by using the Support console.