Dealing with OpenSSL bug CVE-2014-0160 (Heartbleed)


By David Mytton,
CEO & Founder of Server Density.

Published on the 8th April, 2014.

Yesterday a serious vulnerability in the OpenSSL library was disclosed in CVE-2014-0160, also dubbed the Heartbleed Vulnerability. Essentially this means you probably need to regenerate the private keys used to create your SSL certificates, and have them reissued by your certificate authority.


This isn’t a difficult task but does take some time to get OpenSSL updated across all your servers, then go through the process to generate, reissue and install certificates across all locations they are deployed.

We have completed this process for all of our websites and applications and for Server Density v2 we use perfect forward security which should protect against retrospective decryption of previous communications.

However, in the latest release of our server monitoring iPhone app we enabled certificate pinning which means until our latest update is approved by Apple, the app will not log in. You will still receive push notifications for alerts but attempts to log in to the app will fail. Certificate pinning embeds our SSL certificate within the app which is then used to prevent man in the middle attacks – the certificate that is returned through the API calls to our service is verified against the known certificate embedded in the app.

We discussed the best way to approach the reissue of certificates this morning and considered holding off to allow us to submit a new build to Apple with pinning disabled, then do a future update with the new certificate. However, we felt that the security vulnerability was severe enough that we should patch it for all our users at the expense of causing a small number of users to be unable to use the iPhone app for a few days.

We have requested Apple expedite the review process but it still takes at least 24 hours to get a new release out. In the meantime, you should check to see if your OpenSSL version is vulnerable and if so, update!

  • Or Weinberger

    So what do you think about the fact that CloudFlare ‘sat’ on the patch for an entire week since they promised the researchers who found the bug not to disclose it?

    • David Mytton

      I believe this is the right thing to do so they could ensure that the patches were released and properly tested. The OpenSSL patch wasn’t released until yesterday so I assume the “delay” was for verifying the issue, building test cases, etc. I’d be interested to know why they got early access to the research though.