April 11, 2014

Like much of the Internet, Ninchat was affected by the OpenSSL security vulnerability identified as CVE-2014-0160, commonly known as the Heartbleed bug.  After the issue was made public on April 7, the necessary fixes were deployed to all affected services by April 9.  However, the impact on Ninchat is greatly reduced by our usage of Perfect Forward Secrecy ciphers in the TLS encryption of our API traffic.

There is no indication that anything has actually been compromised, but we took the necessary precautions in any case by regenerating our SSL certificates and the associated private keys, and invalidating active session keys and authentication tokens.

Finally, all users are encouraged to change their log-in passwords, just in case.  Remember to check if you need to (and should already) do it for any other Internet services you're using—it's always a good idea!


Post a Comment

Powered by Blogger.