It isn’t often that a bug in OpenSSL makes front-page news everywhere: CNN, the New York Times, the Wall Street Journal. The security flaw, known as Heartbleed, has both a dramatic name and a massive impact on the security of the web.
Bruce Schneier, a well-known expert in security and cryptography, does a great job of explaining both the flaw and its importance on his blog:
“This means that anything in memory — SSL private keys, user keys, anything — is vulnerable. And you have to assume that it is all compromised. All of it…. ’Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”
The Virtru team has a deep appreciation that new vulnerabilities and those known only to a few (a.k.a. “zero-days”) are inevitable and constantly emerging, so we deploy redundant protections wherever possible. Part of this strategy includes our strict enforcement of protections such as Perfect Forward Secrecy (PFS), which prevents decoding past communications even when master keys are leaked.
Because we have required PFS SSL/TLS connections on all our systems since our launch in January, none of our customers’ communications during that period are vulnerable to prying eyes, even if an adversary was somehow able to obtain our master keys due to the flaw uncovered in the version of the OpenSSL library we had been using.
In response to this vulnerability, Virtru engineers have:
- applied the latest security patches to all of our servers, which fixes the root bug in the OpenSSL library;
- taken the precautionary action of deploying reissued certificates with new private keys and revoking our old certificates;
- revoked credentials on Virtru clients to force users to re-activate and obtain secure new credentials, where appropriate; and
- contacted our third-party service providers to verify that their engineering teams have patched their services to ensure that Virtru’s communications with those services continues to be secure.
The first time a user installs a Virtru client, they complete an activation process which stores a secret credential on their device. This secret credential is included in all future requests to Virtru in order to prove the user’s identity.
The Heartbleed bug has introduced several attack vectors which would not otherwise have been possible while using SSL/TLS. We do not have any evidence to suggest that these attack vectors have been previously exploited, and we believe that no information was compromised at any time. However, in the interest of being prudent, we have automatically expired some of these credentials on client devices.
As a result, some users will be prompted to reactivate the next time they use their Virtru client.
Don’t make the mistake of thinking that OpenSSL is insecure and the project is sloppy. OpenSSL is far more secure than its proprietary cousins, and it has thousands — maybe tens of thousands — of eyeballs staring at every change to the source code. However, this still doesn’t prevent vulnerabilities from creeping in.
The real lesson of Heartbleed is that one can’t be just casually secure. We’ve grown so comfortable with an industry that thinks that security is just about turning on HTTPS and getting a certificate. It isn’t — real security requires detailed attention not only to current best practices, but to attack vectors and vulnerabilities that can be reasonably anticipated such as this one.
Please contact us with any additional questions.
— The Virtru Development Team