Many websites using the OpenSSL cryptography library have been compromised with an OpenSSL heartbeat extension memory leak named Heartbleed. Plenty of customers and friends of ours have requested a simple way to check their site for the vulnerability, and a very nice public researcher released a tool to do just that. You should immediately upgrade your implementation of OpenSSL to version 1.0.1g or newer. Once you've upgraded your OpenSSL library, you must revoke all of your SSL keys, reissue new keys, and then redistribute them, along with the certificates they correspond to.

How you can stay safe

We ran this check against all of the websites registered with Tinfoil and have e-mailed the users who are vulnerable to Heartbleed. We have also built a Heartbleed test into our main vulnerability scanner and future scans will include a check for Heartbleed, so you'll be able to make sure it doesn't come back or pop up on future websites. All of our future scans on any Basic plan or higher will now check for this vulnerability, and you can always tell if we scanned for it by looking at the list of Modules on a report's Statistics page.

How we've kept you safe

Like many service providers, once Tinfoil became aware of Heartbleed, we moved to address, and evaluate the impact of, this vulnerability. We know that our users share our concern for security and privacy, so we want you to be aware of the specifics of the Heartbleed vulnerability as it relates to Tinfoil. We have no evidence that the Heartbleed vulnerability was used to obtain any Tinfoil data or to access Tinfoil services. We applied patches to all affected servers yesterday as soon as we found out about Heartbleed, replaced our private key and SSL certificate since it's plausible that Tinfoil's certificates could have been exposed, and invalidated all existing user sessions and cookies by rotating our secret key.

While there's no indication that Tinfoil user data has been impacted, we strongly recommend that you update your Tinfoil account password. If you use our API, we highly recommend deactivating any existing keys and reissuing new ones.

As always, if you have any questions or problems, please don’t hesitate to respond to this email or chat with us at http://www.tinfoilsecurity.com/chat. Stay safe out there.

Michael "Borski" Borohovski

Michael Borohovski is cofounder and CTO at Tinfoil Security. He got his start in security when he was just 13 years old, and has been programming for longer than he can remember. When he's not busy breaking software or building it, he also loves singing, juggling, and magic tricks. Yes, magic tricks.