Contact Us

To help prevent spam, Javascript is required in order for you to use this form.

Statement on CVE-2014-0160 "Heartbleed"

MyClient is not currently vulnerable to the Heartbleed issue.

Background

On 7 April 2014, details of a significant issue were disclosed in OpenSSL, a software library used by MyClient to provide HTTPS connectivity. Estimates indicate that up to 17% [0] of all HTTPS sites on the internet were impacted by this vulnerability, which had the ability to retrieve arbitrary memory from the web server process, including login passwords, session cookies, and SSL certificate private keys.

Forbes described this "Heartbleed" vulnerability as "the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet". [1] For more information on the vulnerability, http://heartbleed.com/ provides a good overview.

MyClient

Staff were tracking this issue as soon as it was announced, and applied updated OpenSSL packages for our operating system within minutes of them becoming available. MyClient is not currently vulnerable to this issue.

AhsayOBS in its default configuration is not currently vulnerable to this issue. It may be vulnerable if you have switched Tomcat to use APR as the HTTPS connector.

A brief advisory was sent to all customers on 12 April 2014.

During the vulnerable period

We have no reason to believe that any sensitive information was leaked during the vulnerable period.

  • At the time of writing, all publicly known methods to retrieve the SSL private key require a large number of network requests, [2] which would have been visible in our server logs and monitoring systems. We can confirm that no such attack took place on any of our servers.
  • Small-scale heartbleed attacks that might disclose passwords or session cookies do not appear in web server logs. However, we did patch the issue well before any testing tools became publicly available, and as a result we consider it a very low risk that passwords or session cookies were disclosed.
    • All session cookies have since been rotated
    • It is important to maintain good password hygiene and change your password regularly, regardless of this issue.

SSL revocation and false positives

MyClient chose not to revoke any SSL certificates owing to two reasons;

  1. At the time of writing, and assuming current versions of Chrome or Firefox, certificate revocation is merely a placebo; in any situation where a certificate might be fraudulently used to impersonate MyClient, the revocation can also be bypassed. [3] [4]
  2. We consider it to be an acceptably low risk that any certificates were leaked.

This decision has lead to some poor tools giving false positive detections against our service, because our servers do use OpenSSL and the same certificate was used during the vulnerable period. Notably, the built-in LastPass check and the Netcraft browser extension give false positive results.

Any check system that directly attempts the exploit (e.g. [5]) will demonstrate that the issue has been resolved.