Dealing with OpenSSL bug CVE-2014-0160 (Heartbleed)
Written by David Mytton — Subscribe now.
Yesterday a serious vulnerability in the OpenSSL library was disclosed in CVE-2014-0160, also dubbed the Heartbleed Vulnerability. Essentially this means you probably need to regenerate the private keys used to create your SSL certificates, and have them reissued by your certificate authority.
This isn’t a difficult task but does take some time to get OpenSSL updated across all your servers, then go through the process to generate, reissue and install certificates across all locations they are deployed.
We have completed this process for all of our websites and applications and for Server Density v2 we use perfect forward security which should protect against retrospective decryption of previous communications.
However, in the latest release of our server monitoring iPhone app we enabled certificate pinning which means until our latest update is approved by Apple, the app will not log in. You will still receive push notifications for alerts but attempts to log in to the app will fail. Certificate pinning embeds our SSL certificate within the app which is then used to prevent man in the middle attacks – the certificate that is returned through the API calls to our service is verified against the known certificate embedded in the app.
We discussed the best way to approach the reissue of certificates this morning and considered holding off to allow us to submit a new build to Apple with pinning disabled, then do a future update with the new certificate. However, we felt that the security vulnerability was severe enough that we should patch it for all our users at the expense of causing a small number of users to be unable to use the iPhone app for a few days.
We have requested Apple expedite the review process but it still takes at least 24 hours to get a new release out. In the meantime, you should check to see if your OpenSSL version is vulnerable and if so, update!