Heartbleed Security Update

Last Monday, a major security vulnerability called “Heartbleed” was announced in OpenSSL, security software that is widely used by web services in order to protect the privacy of communication on the internet. The Heartbleed bug affected many internet services — including Google and Yahoo — making it possible for their web servers to leak users’ private information, including account passwords.  The privacy and security of our users is extremely important to us, so we’ve written this update to explain how Heartbleed affects Telerivet users, as well as the actions Telerivet has already taken to protect your privacy and security.

Most importantly, Telerivet’s production servers were not vulnerable to the “Heartbleed” bug, since we were fortunately using a version of OpenSSL that did not have the bug.  However, some of our internal testing servers were vulnerable until last Monday afternoon, and we also inadvertently ran one unpatched server for less than 5 minutes on Thursday. Also, some third-party services that Telerivet uses to handle messaging, customer support, analytics, and payments (Twilio, Nexmo, Intercom, KISSmetrics, Sift Science, and Stripe) were vulnerable to Heartbleed until last Monday or Tuesday, but have since been patched and secured.

After a thorough security audit of Telerivet’s systems, we have no reason to believe that any of Telerivet users’ private information was exposed due to the Heartbleed vulnerability.  We’re not requiring users to change their Telerivet password, although any concerned users are encouraged to do so. In particular, it may be a good idea to change your password if you use the same password on other services that were vulnerable.

It’s possible that the vulnerabilities in third-party services may theoretically have allowed certain Telerivet customer information such as names, email addresses, and payment information to be exposed, although all of these services currently report no evidence that any data was improperly accessed due to the Heartbleed bug.

We have already rotated the secret keys and SSL certificates that Telerivet’s servers use to encrypt communications, while revoking our old certificates, in order to ensure that Heartbleed poses no future risk to Telerivet users. (Although the date on our SSL certificates hasn’t changed, they actually are using entirely new keys.) In addition, we notified a small number of users who logged in to the unpatched server during a five-minute interval on Thursday, and subsequently regenerated our SSL keys and certificates. We have also required all Telerivet staff to reset all passwords for all services impacted by the Heartbleed vulnerability.

In addition to taking immediate steps to respond to this particular vulnerability, we’ve also taken this opportunity to review Telerivet’s security for other areas for improvements, and have already implemented several changes to make our security even stronger than before. In particular, Telerivet’s SSL implementation now supports Perfect Forward Secrecy and HTTP Strict Transport Security, and our SSL implementation now receives an “A+” grade from Qualys’s SSL tester.

Heartbleed was likely the most serious security vulnerability in several years, and affected nearly every web user and every web service. Fortunately, there is currently no evidence that any private information related to Telerivet has been compromised due to the Heartbleed vulnerability. And even better, companies everywhere are now taking this opportunity to strengthen their security even further to prevent other vulnerabilities in the future, which will be good for the average user in the long run.

(Updated 4/13 to add additional third-party services affected by Heartbleed)