How Skeddly Was Affected by the Heartbleed Bug

Over the past few days, the Heartbleed Bug has caused many questions and uncertainty about SSL security. Many sites were impacted, including Skeddly. We don’t know, and we may never know, if anyone was actually able to exploit the bug, or if it went unnoticed for years without incident.

How Was Skeddly Impacted?

Skeddly uses AWS Elastic Load Balancers to handle SSL termination. AWS has confirmed that ELB was affected.

What Have We Done?

Amazon has addressed the issues within ELB in all regions, so Skeddly is no longer affected by this issue.

Since one possible exploit of the bug is the compromise of the SSL keys themselves, we have started using new SSL keys and revoked the old ones. If someone had gained access to the keys, they should not be able to use them anymore.

Security credentials for various APIs that we use have also been rotated.

What Should You Do?

You should assume the worst. Someone has confirmed that passwords were compromised at Yahoo.

We recommend you take the following precautions:

Change the passwords on your Skeddly accounts.
Create new credentials for your AWS account with which Skeddly should use. This includes access keys and roles.

If you are using Google Chrome, you can install a Heartbleed Chrome Extension that will inform you if the site you are visiting is affected by the Heartbleed bug. If all has gone according to plan, then this tool should remain silent when you use Skeddly.

Additional Resources

Heartbeat Test - http://filippo.io/Heartbleed/
Everything you need to know about the Heartbleed SSL bug - http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html
Attack of the Week: OpenSSL Heartbleed - http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html

By Matt Houser on Apr 17, 2014 in Announcements | Permalink

Skeddly Blog