The FeedHQ Blog

News and product announcements about FeedHQ.

Mitigating the Heartbleed vulnerability

April 8, 2014 - brutasse

On April 7, 2014 a severe vulnerability in the OpenSSL cryptography library was disclosed. Known as Heartbleed, this vulnerability allows an attacker to steal the keys used to encrypt communication with a server as well as portions of the server's system memory.

This issue impacted feedhq.org as the site uses OpenSSL to secure its traffic.

Here is what has been done so far to mitigate this issue:

  • FeedHQ's infrastructure has been updated to the latest version of OpenSSL that contains the fix for the Heartbleed bug.
  • The SSL certificate securing https://feedhq.org has been revoked and a new certificate has been deployed.
  • All user sessions and API tokens have been revoked -- twice :). This has minimal impact for app users. Web users will have to login again.

There is no indication that user data has been compromised. If you think it might be the case for you, please let us know.

Furthermore, we try to follow as closely as possible the best practices regarding communication encryption. The SSL setup has allowed Perfect Forward Secrecy for quite some time, which prevents the use of stolen encryption keys to read encrypted traffic.

Beyond feedhq.org

The Heartbleed bug is very serious and a lot of sites were (and still are) impacted. Although the vulnerability was discovered and disclosed very recently, it is possible that it's been exploited before that: the bug was introduced in March 2012. If you want to mitigate this issue on your side, the course of action is a bit radical:

Self-hosted FeedHQ users

For those of you who run your own instance of FeedHQ over SSL, here are the steps to revoke sessions and API tokens. Make sure your SSL installation is secure and patched before going through these steps.

On your database host, open a psql shell to your FeedHQ database and run:

TRUNCATE reader_authtoken;

On your Redis host, run:

redis-cli --raw keys *:django.contrib.sessions.cache* | xargs redis-cli del
redis-cli --raw keys *:reader_post_token:*| xargs redis-cli del
redis-cli --raw keys *:reader_auth_token:*| xargs redis-cli del