On Monday (April 7, 2014) an announcement was published about a new security vulnerability (CVE-2014-0160) in OpenSSL, which is a cryptography library responsible for powering much of the private communication across the Internet. The library is an essential component for maintaining privacy between clients and servers, and for confirming that Internet servers are who they represent themselves to be. The threat has been given the name Heartbleed.
This vulnerability could allow an attacker to steal the keys that protect internet communication and user passwords. This represents a major risk to large portions of private traffic on the Internet, including redtailtechnology.com
At this point, we've seen no indication that the attack has been used against redtailtechnology.com. However, the nature of the attack makes it difficult to detect so we are proceeding with a high degree of caution.
How is Redtail responding to this?
While we are continuing to monitor the situation, we have completed a number of measures already:
OpenSSL Patch — We've patched all our systems using the newer, protected versions of OpenSSL, a process we began as soon as the vulnerability was disclosed publicly. We are also coordinating with our partners to ensure they're upgrading their systems to minimize Redtail's exposure.
SSL Keys and Internal Credentials — We've recreated and redeployed new SSL keys and reset internal credentials, as well as revoked our older certs to be on the safe side.
Browser Session Resets — We've been forcibly resetting all browser sessions that were active prior to the vulnerability being addressed on our servers. This may have logged you out of Redtail, requiring you to log in again. We took this measure to prevent potential session hijacking attacks that may have occurred while the vulnerability was open.
What should you do about this?
While at this time Redtail has no reason to believe that the attack has been used beyond testing the vulnerability, you might consider the following step as an added precautionary measure:
We take every precautionary measure in order to keep your data safe. We will continue to stay on top of this vulnerability and will post updates as needed.