OpenSSL 'Heartbleed' vulnerability summary - Papertrail Blog

The revolution will be verbosely {,b}logged

OpenSSL ‘Heartbleed’ vulnerability summary

Posted by Troy Davis on

A vulnerability in OpenSSL called CVE-2014-0160 (nicknamed “Heartbleed”) was publicly announced on Monday, April 7. Papertrail:

  • Patched the HTTPS endpoint serving on Monday at 3:30 PM UTC-7 (see status blog).
  • Verified that our TLS-encrypted log endpoint is not vulnerable to the
  • Changed to use a new TLS certificate
    at 5:00 PM UTC-7. This certificate was generated by a different private
    key. Related internal passphrases were also changed.
  • Deployed forward secrecy as part of patching OpenSSL.

This vulnerability affects many, probably most, SSL-enabled Internet
services in some form. We echo Tumblr’s recommendation, as reported in
the LA Times: “take some time to change your passwords everywhere.” Be safe.