exceptional encryption for everyone

exceptional encryption for everyone

Tuesday, April 8, 2014

How heartbleed / OpenSSL bug affects surespot.


TL;DR- change your password & back up your identity, no one was able to read your messages.

Our hosting company is Linode. We use their "NodeBalancer" product for load balancing, which allows for SSL termination, a feature we were taking advantage of. According to Linode, the vulnerability was patched in their NodeBalancers within 4 hours of initial bug reports meaning surespot servers were susceptible to the exploit until then.

Surespot relies upon HTTP sessions secured with SSL, so there was the potential that a session could have been hijacked and allowed the attacker to access the server posing as that user. In this state, the attacker could have performed the attacks described under "Login validation, sessions, and web method access" in the surespot threat analysis found on our website here: https://www.surespot.me/documents/threat.html.

Fortunately, as described in our threat document, these attacks are relatively minor. The encrypted message contents themselves are not vulnerable, as they are end-to-end encrypted and rely on the private key which is stored on your device.

Actions we are taking-

We have deleted all of the current sessions so any sessions that may have been hijacked will no longer be active.  Since Linode has patched the bug any new sessions will no longer be vulnerable.

It may be possible that an attacker could have obtained the information needed to login and create a new session.  In this unlikely event, to prevent the attacker from creating a new session we recommend changing your password (don't forget to back up your identity again).

We have reissued the SSL certificate.

We wish to reiterate that the contents of your surespot messages were not made vulnerable/readable by this OpenSSL bug.

~the surespot project
Exceptional Encryption for Everyone