Heartbleed Statement
April 13th, 2014By now many people have heard about The Heartbleed Bug, last week’s internet-wide security issue based in a problem with the popular OpenSSL encryption libraries. I have put off making a public statement not because of ignorance about the bug but because I wasn’t sure it was appropriate or necessary. Over the past week I’ve become convinced that it’s a good idea for any affected company or site to fully disclose their exposure and response to the bug.
What was Red Sweater’s exposure?
Our only customer-facing service exposed via HTTPS is the Red Sweater Store, which was affected by the bug. In practice, this means that private customer data including credit card numbers as well as customer names, addresses, email addresses, could theoretically have been exposed to an attacker during the exposure window. Credit card numbers used in the purchase of Red Sweater products are never stored on Red Sweater servers, but are held in memory for a short time in the creation of encrypted transactions with PayPal, our credit card processor.
What was the exposure window?
Although the bug existed in OpenSSL for almost 3 years, I was somewhat lucky in that I had only updated the Red Sweater Store to an affected version of OpenSSL on March 6, 2014, about one month before the vulnerability was disclosed.
What was Red Sweater’s response?
While some larger services were apparently notified of the bug earlier, it was not shared with the public until Monday, April 7. Red Sweater’s secure server was updated with fixed software at around 3:30AM Pacific time on April 8. By 9:00AM Pacific, I had created a new private key for Red Sweater, reissued, and installed the updated certificates. From this point onward there is no known risk of exposure of any private customer data submitted to the Red Sweater Store.
What should customers do?
Theoretically, any affected site has been vulnerable to possible eavesdropping during the exposure window. Because the Red Sweater Store does not incorporate a password or cookie-based credentials system, there is nothing that needs proactive changing to limit further exposure. Because of the wide-reaching nature of this bug, I would advise all users of all web sites to be on guard about possible exposure of private information including credit card numbers. Because of the small exposure window and relatively low profile of Red Sweater, I think the risk to my customers on this site in particular is low.
If you have any questions at all about my response to the Heartbleed bug or to any other security issue, do not hesitate to contact me (Daniel Jalkut, founder of Red Sweater).
April 13th, 2014 at 2:33 pm
Thanks Daniel for the timeline of the Heartbleed vulnerability.
April 14th, 2014 at 11:41 am
Is there any client side issue for the apps?
April 14th, 2014 at 12:20 pm
Hi Joseph – I don’t think there is any issue, but perhaps I haven’t thought through all the scenarios? What are the flavor of issues you are imagining might exist? MarsEdit for example does connect to HTTPS endpoints but relies upon standard Mac OS X system mechanisms for confirming trust. As far as I know the only issues for clients would have to do with whether or not e.g. revoked certificates are untrusted. Did you have something else in mind?