Update Wednesday, April 9, 2014, at 1:19 a.m. CDT (GMT-6): We reset the Raven system, which logged all customers out automatically. We strongly recommend that you change your password before you log in again. This closes the Heartbleed Bug vulnerability for Raven customers. You don’t need to take any further action.
What happened worldwide
A newly identified bug named the Heartbleed Bug has made nearly 70% of all websites on the Internet insecure — over 600 million, to put this in context — including Raven’s online software website.
The Heartbleed Bug makes the secret keys that encrypt your online data vulnerable to theft. An attacker can easily steal your usernames and passwords, instant messages, emails, business documents and communication from servers with this vulnerability.
The Heartbleed Bug has existed since March 14, 2012. Attackers who exploit it leave zero trace. That means that any website owner affected by this bug has no idea what data may have been compromised since then, or if any data was compromised at all. All that they can do is patch the bug immediately, communicate with customers and take measures to reset their systems.
As of right now, we have no evidence that Raven was attacked. But given the seriousness of this, we are being proactive.
Raven is ordering new security certificates for all of our domains, including custom domains used by our customers. You don’t have to do anything.
What’s next, and what you can do
There’s nothing you (or we) can do until Amazon applies the patch for the servers that Raven uses. Here’s what will happen then:
- After Amazon notifies us that they have applied the patch, we will verify that it’s working correctly.
- Then we will complete the security certificate renewals.
- Then we will reset Raven, which will log you out of the system automatically.
- When you log in again, and from that point forward, your Raven data will be secured from the Heartbleed Bug.
We strongly encourage you to change your password. Everywhere.
Beware of websites that are popping up to “check” for the vulnerability. You may be inviting theft of your data.
Where to read more about Heartbleed
- Finnish National Cyber Security Center: NCSC-FI is distributing advisories and updates to technical communities.
- Heartbleed.com: This contains FAQs with (mostly) simple answers.
- Amazon Web Services: The AWS status page has minimal information now, but more updates may come soon.
- CNET: ‘Heartbleed’ bug undoes Web encryption, reveals Yahoo passwords
- Ars Technica: Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping
With the Heartbleed Bug, Raven is experiencing what the world is experiencing. The security of your data is paramount to us, and we want to be honest and keep you informed of the latest news.
We appreciate your understanding and loyalty.
Chief Technology Officer and Co-Founder
Update Tuesday, April 8, 2014 at 2:35 p.m. CDT: Amazon Web Services released more information. Raven’s servers are part of the group that is taking a couple of more hours to be fixed.
Update Tuesday, April 8, 2014 at 9:04 p.m. CDT: Amazon Web Services has confirmed the patch. Raven is now processing security certificate renewals for all its domains, including our customers’ custom domains.