Heartbleed FAQ

Heartbleed seems to have been a once in a decade type of a security problem.

First of all, we should dispel some FUD.
  • This can really only be used by someone targeting your server, by the time this was resolved there was no automated/widespread scanning/exploiting of this vector.
  • We have heuristics in place to detect anomalies with account access utilizing the last login IP address that should detect if we are targeted.
  • We host on Heroku still - and they responded immediately - we were patched before main stream news picked this up.
  • We utilize the services of Cloudlfare in front of our app servers and they were part of the team that knew before it was publicly disclosed and had already been patched.
  • The attack vector means the attackers were able to get tiny pieces of memory (64k max) out of the server ram, and basically store all of it as blobs and have to figure out how to piece it back together to become something useful.
  • A main worry had always been the SSL keys becoming compromised. The attack vector for this is basically a fake domain using your certificate, or a man in the middle attack - either of these are difficult to use and would mean you are a serious target. At that point you would have many other things to worry about.
Here are links from our platform providers;
  1. Heroku: https://status.heroku.com/incidents/606
  2. CloudFlare:  http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities
For some reason every site on the internet believes passwords could have been compromised and suggests you change them. We have NO reason to believe this to be the case for your accounts, but there are a lot of very smart people recommending this. It certainly can't hurt so we encourage doing this.

We do plan to re-issue our SSL certificate in the coming week or so just to take extra precautions.  We have multiple levels of extremely modern security in place and we have not detected any anomalies in access to the system at any point.

Feedback and Knowledge Base