Mitigating the Heartbleed vulnerability
On April 7, 2014 a severe vulnerability in the OpenSSL cryptography library was disclosed. Known as Heartbleed, this vulnerability allows an attacker to steal the keys used to encrypt communication with a server as well as portions of the server's system memory.
This issue impacted feedhq.org as the site uses OpenSSL to secure its traffic.
Here is what has been done so far to mitigate this issue:
- FeedHQ's infrastructure has been updated to the latest version of OpenSSL that contains the fix for the Heartbleed bug.
- The SSL certificate securing
https://feedhq.orghas been revoked and a new certificate has been deployed.
- All user sessions and API tokens have been revoked -- twice :). This has minimal impact for app users. Web users will have to login again.
There is no indication that user data has been compromised. If you think it might be the case for you, please let us know.
Furthermore, we try to follow as closely as possible the best practices regarding communication encryption. The SSL setup has allowed Perfect Forward Secrecy for quite some time, which prevents the use of stolen encryption keys to read encrypted traffic.
The Heartbleed bug is very serious and a lot of sites were (and still are) impacted. Although the vulnerability was discovered and disclosed very recently, it is possible that it's been exploited before that: the bug was introduced in March 2012. If you want to mitigate this issue on your side, the course of action is a bit radical:
- Do not log in to HTTPS websites before checking that they are not vulnerable.
- Make sure that your browser supports forward secrecy.
- Do not trust HTTPS websites which use an SSL certificate issued before April 7, 2014.
- Change your passwords. All of them.
Self-hosted FeedHQ users
For those of you who run your own instance of FeedHQ over SSL, here are the steps to revoke sessions and API tokens. Make sure your SSL installation is secure and patched before going through these steps.
On your database host, open a
psql shell to your FeedHQ database and run:
On your Redis host, run:
redis-cli --raw keys *:django.contrib.sessions.cache* | xargs redis-cli del redis-cli --raw keys *:reader_post_token:*| xargs redis-cli del redis-cli --raw keys *:reader_auth_token:*| xargs redis-cli del