our response to Heartbleed, the OpenSSL vulnerability

this was originally posted on our Facebook page on April 9th, 2014 and is being intentionally backposted here


On Monday 4/7/2014 a vulnerability to OpenSSL was announced to the public, nicknamed Heartbleed, and issued this tracking label: CVE-2014-0160

Essentially, this is a vulnerability in the protocol that encrypts https traffic in transit, between a user and a website. See this article in the New York Times for a good explanation.

At hubbub, the security of our users' data is of the utmost importance. Our response to this issue has been as follows:

  • On Tuesday morning, 9:03am Pacific 4/8/2014, the software running our SSL endpoints was upgraded.

  • Later on Tuesday morning, approximately 10:30am Pacific, 4/8/2014, the version of PostgreSQL we use was also upgraded. You may have noticed a few failed responses mid-morning Pacific time. That was our database restarting and warming its cache back up. See this Heroku status article for more detail.

  • On Wednesday 4/9/2014, we installed a new SSL certificate across all of our environments, testing and production, backed by a new, different private key.

We have no evidence that at any time, any of your sensitive information was compromised. We are simply following the best practices outlined by the Security community with respect to this issue.

Lastly, we have changed our security credentials for software providers who have recommended that we do so.

If you have any further questions or comments - please feel free to email adam at hubbub health dot com

Thank you for your use and support of hubbub - we greatly appreciate it.

adam
co-founder, VP Product and Technology, hubbub health