Heartbleed vulnerability
60 views
Skip to first unread message
Aurimas Vinckevicius
Apr 10, 2014, 12:08:29 PM4/10/14
to zoter...@googlegroups.com
Were/are any of the Zotero services affected by the heartbleed vulnerability in OpenSSL?
Dan Stillman
Apr 10, 2014, 3:25:42 PM4/10/14
to zoter...@googlegroups.com
On 4/10/14, 12:08 PM, Aurimas Vinckevicius wrote:
>
> Were/are any of the Zotero services affected by the heartbleed
> vulnerability in OpenSSL?
>
Yes, all of our HTTPS endpoints were vulnerable.
>
> Were/are any of the Zotero services affected by the heartbleed
> vulnerability in OpenSSL?
>
We patched our reverse proxies (www/sync/api and files.zotero.net) on
Monday night, the day of the disclosure. Amazon patched ELB
(forums/repo) and CloudFront (download) by the end of Tuesday. On
Wednesday we reissued our certificates.
Like other services, we have no way of knowing if anyone exploited this
bug to expose Zotero SSL keys, passwords, etc. in the months prior to
its disclosure. I believe our reverse proxies became vulnerable in
December. I'm not sure when ELB/CloudFront became vulnerable. In any
case, if you'd like to change your Zotero password, it's now safe to do so.
Along with the fix to this, due to various other recent improvements
(HSTS, Perfect Forward Secrecy), zotero.org now scores an A+ on the SSL
Labs test:
https://www.ssllabs.com/ssltest/analyze.html?d=zotero.org&hideResults=on
Reply all
Reply to author
Forward
0 new messages