HeartBleed and SocialGO

As you may have already heard, a security flaw was recently announced affecting the OpenSSL library going by the name of HeartBleed (so called because it exploits a flaw in the implementation of the HeartBeat extension within the SSL protocol).  This is a serious flaw and affected a large percentage of the Internet.  For the techies in the crowd, please see CryptographyEngineering for a more detailed description of the bug itself.

SocialGO is powered by Amazon Web Services and our SSL encryption is handled by Amazon’s Elastic Load Balancers (ELB).  These were confirmed to be vulnerable to the flaw and were patched by Amazon so they are no longer vulnerable.

Following the announcement by Amazon that the ELBs are no longer vulnerable, we have re-keyed the certificates used to protect your credit card details when you sign up or when you update those details.  We have also revoked the old certificates.

How does this affect you?

One possibility is that your credit card details will have been potentially available to anyone who knew of this flaw for some period of time after you used them on our site.  For most people, this will be shortly after they first signed up for a SocialGO network.  Since most attackers discovered the flaw at the same time we did, our customers who are at the greatest risk are those who signed up on the 7th or the 8th of April.  If you are concerned that your credit card details may be affected, contact your bank and ask them what they recommend as your best course of action.

Another possibility is that the private key used in the SSL encryption algorithms may be known to attackers who could use it to decrypt any traffic intercepted and stored in the past or the future or to impersonate us in the future.  Changing the keys we use prevents attackers decrypting future intercepted traffic and revoking the old keys prevents attackers impersonating us.

If you have an SSL certificate attached to your custom domain with SocialGO, please get in touch with our support team about re-keying your SSL certificate.

The major news outlets have advice on how end users should react to the news of the flaw and how it has been handled at various different websites they use.  A list of the most popular websites affected is available on Mashable and users of the LastPass password manager have a convenient list inside the application itself of which sites have mitigated the vulnerability and updated their SSL certificates and when you changed your password at each of these sites.


Posted in Uncategorized | Leave a comment