Update: Heartbleed Vulnerability
Update: As of Friday, April 11th at 8pm EST, DigitalOcean completed its audit of distribution images and 1-click applications . All images have been updated or patched to protect against the Heartbleed OpenSSL vulnerability.
As many of you are now aware, yesterday the CVE-2014-0160 vulnerability, better known as the “Heartbleed bug”, in the OpenSSL Project was disclosed. This is a serious vulnerability that will affect many websites and applications on the internet. As the researchers have said:
“Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”
What have we done?
As soon as this vulnerability was disclosed to us, we immediately began the process of patching our internal systems to use the latest secured version of OpenSSL and updating our mirrors. By noon today, all our infrastructure was updated and our certificates reissued, securing our internal and external facing assets and revoking our old certs.
What should you do?
We advise our customers to follow the steps that we have taken for our own systems (where applicable) to secure your own droplets. At this point, we have no reason to believe that any credentials have been compromised, but to be on the safe side we recommend you change your DigitalOcean.com and Droplet passwords. Using the same password elsewhere (ill-advised in any case) may lead to your password being rendered unsafe again.
We also recommend you make a few precautions as a part of your normal workflow:
- Use a password manager that allows you to create strong passwords that are unique for every service you use.
- Enable two-factor-authentication for any critical infrastructure services you use.
- Periodically roll over your DigitalOcean API keys. This means that you will have to re-issue your API key via the DigitalOcean.com control panel for any applications configured to use your old key.
We are in the process of updating all of our installation images so that any new servers will be patched against this vulnerability from the time of deployment.
For more information about how to update your existing servers and protect yourself against this vulnerability, check out this article.