Draft’s Heartbleed Reponse
On April 7, 2014 information was released about a security vulnerability in OpenSSL, named Heartbleed. You can read more about it, here:
It’s a very serious vulnerability that breaks the SSL encryption we depend on to keep our information secret. It affected two thirds of the websites we visit every day, including sites like Google, Yahoo, Amazon, Etsy, Tumblr, etc. Unfortunately, that includes Draft because it uses OpenSSL through its hosting providers Heroku+Amazon.
I have no evidence the vulnerability was used to attack Draft and our data, but I immediately took the recommended actions to protect the service. And for stronger confidence, you should change your Draft password here:
https://draftin.com/draft/users/edit
And because of how many sites use OpenSSL and were affected by this vulnerability, you should change your passwords across the internet, especially places using SSL.
How this has been fixed in Draft #
Heroku and Amazon patched their servers and have been monitoring their networks for abuse:
https://blog.heroku.com/archives/2014/4/8/openssl_heartbleed_security_update
Measures I’ve taken:
- Invalidated everyone’s Draft session. You will be forced (or already have been) to login to Draft again.
- Reissued the private key and SSL certificate for Draft.
- Reset the passwords and keys Draft uses to communicate to databases and other infrastructure.
If you have any questions, please email me and let me know: nate@cityposh.com
And if you run any SSL protected websites, the most important thing you can do next in your day is make sure you’ve upgraded OpenSSL and start taking similar measures to protect your users. You can test your websites to see if they are vulnerable with this tool: