Heartbleed is a serious vulnerability in the SSL stack affecting a huge number of sites on the internet. In this post we address how we secured our servers in the wake of Heartbleed, and what actions customers should take to further protect themselves.
How it works
Heartbleed allows an attacker to view a window of the contents of an SSL server. For our customers, this meant that it was possible to sniff information transmitted through our API. The nature of Heartbleed makes it almost impossible to confirm an attack, so we recommend that customers take this opportunity to rotate any keys uploaded to our servers, especially those that were uploaded since the vulnerability became well-known on Monday April 7th.
What we’ve fixed
CircleCI runs on Amazon Web Services, using Elastic Load Balancer for our API, website, and traffic from 3rd party services. AWS has updated ELB to no longer be vulnerable. We have rotated our SSL key, and invalidated all customer sessions, in order to protect our customers.
GitHub has provided a way for us to cycle all GitHub Oauth tokens for our customers. We thank them for that and have rotated all GitHub Oauth tokens for our customers through this. As a result, there is no need for customers to reauthenticate CircleCI with GitHub.
We have also updated all internal servers and services to patched SSL versions. As a precaution, we are also cycling our keys for services that we rely on in production, and services our employees have access to.
What you should fix
Heartbleed affects nearly all sites on the internet, and we anticipate that many of your credentials may be affected. We suggest that customers cycle important credentials which may have been accessed or accessible by 3rd parties during this time.
If you have uploaded any of your credentials via our web site, we suggest you rotate those credentials. This includes deployment credentials such as API keys, SSH keys and passwords, CircleCI API tokens, and tokens to notify or access your chatrooms.
All credentials in CircleCI are in a project’s “Project settings” page on CircleCI, or in your personal account settings.
We strongly recommend that you update your GitHub credentials as well, as GitHub was also affected by Heartbleed. We recommend you follow their recommendations to change passwords and enable 2-factor authentication.
If you have concerns about how this affects CircleCI or your CircleCI settings, please get in touch - we’re always happy to help. Our in-app notification system is the best way to reach us, though you can also get in touch via email@example.com. For more sensitive questions you can contact us using our GPG key at firstname.lastname@example.org.