PocketSmith Security Update Regarding "Heartbleed" Vulnerability
Blog post
·
11 Apr, 2014
We take security very seriously at PocketSmith. On the 8th of April 2014 at 05:30am NZST (7th of April 2014, ~17:30 UTC), a major vulnerability dubbed “Heartbleed” was disclosed by researchers from Google and the Finnish security consulting group Codenomicon.
This vulnerability existed in one of the Internet’s primary security protocols. Hundreds of thousands of services across the internet, including PocketSmith, could have been affected by this issue. Detailed information on the vulnerability can be found at .
Contents
- Measures Taken by PocketSmith
- What you need to do
- Update, Friday 11th of April, 19:00 NZST / 07:00 UTC
- Update, Sunday 13th of April, 11:30 NZST / 23:30 UTC
- Update, Tuesday 22nd of April, 23:14 NZST
- Update, Tuesday 29th of April, 23:14 NZST
Measures Taken by PocketSmith
Since the announcement, we’ve been taking the required measures to ensure the ongoing security of PocketSmith. All servers were updated to fix the vulnerability within 12 hours of disclosure. User information was not affected by the bug at all. There is no indication that any data was compromised at any stage.
Currently we’re working with our SSL certificate provider to obtain brand new certificates. This appears to be taking longer than usual due to the number of companies attempting to do the same.
Once these are installed, our old SSL certificates will be deactivated. This protects PocketSmith in the extremely unlikely scenario that our SSL certificates keys were compromised.
What you need to do
We’re recommending that you err on the side of caution, and change your PocketSmith password twice - once right now, and again when we receive the new certificates and the old ones are deactivated. We’ll post another notice when the new certificates are in place - but for the moment, change your password here.
Below are some links for further reading on Heartbleed. If you have any further questions, feel free to drop us an email at [email protected].
~ the Team at PocketSmith
Update, Friday 11th of April, 19:00 NZST / 07:00 UTC
We’ve now received the new certificate for pocketsmith.com. These have now been installed on all servers, and we’re now starting the process for revoking the existing certificates.
Note that we’ve switched to the generic pocketsmith.com certificate for the main application at . The Extended Validation certificate that is normally used here (giving the “green bar” in your browser) will be returning once things are finalised with our certificate provider.
Update, Sunday 13th of April, 11:30 NZST / 23:30 UTC
The new Extended Validation certificate for the main application at is now installed, which means you’ll now see the green bar appear again in your browser when you head to the login page for the site.
We’ll post another update here when all of the old SSL certificates have been revoked (the important final step in responding to Heartbleed).
Update, Tuesday 22nd of April, 23:14 NZST
Yesterday, we received confirmation that the previous SSL certificate for my.pocketsmith.com has now been revoked from our certificate provider. We’re currently following up with them about revocation status of the other certificate. We’ll post an update here once this certificate has been confirmed as revoked.
Update, Tuesday 29th of April, 20:50 NZST
We’ve finally received confirmation that all certificates have been revoked from our certificate provider. This completes the loop with respect to the Heartbleed bug.
- Core information
- General information from the infosec community
- Expert opinion and updates
- Updated information regarding SSL certificates
- Timing information
