Heartbleed mitigation

April 9, 2014

Along with thousands of other sites Furkot was affected by the heartbleed bug. We would like to let you know what we have done to mitigate our exposure:

  • we upgraded the software on our servers closing the loophole - 4/8 5pm EST
  • we regenerated encryption keys - 4/8 5pm EST
  • we installed new certificates on our websites - 4/9 7am EST
  • we requested revocation of old certificates - 4/9 8am EST

We are reviewing all our partners and vendors to ensure they similarly took the necessary steps.

You can find a comprehensive report of our SSL configuration on Qualys SSL Labs website.

Please note that our servers were always configured to use Perfect Forward Secrecy, which should protect past communications from retrospective decryption.

Furkot servers are no longer vulnerable to this particular attack and we did not detect any traces of potential intrusions. However exploiting this bug does not leave any noticeable traces and - although it's unlikely - we cannot be 100% sure that some information stored on our servers was not compromised.

The most sensitive data we store about our users are their login credentials. All the passwords in our database are encrypted using bcrypt, which is recognized as the best industry practice. That said, if you created a password account in Furkot, consider changing it, and - if you used this password with other services - change it there as well.

Before visiting any website that requires login you may want to check that they already patched this vulnerability. You can use this tool to make sure it's safe.

We encourage our customers to always use a password manager, such as LastPass, KeePass, 1Password or similar to maintain strong and unique passwords.

If you have any questions or concerns please don't hesitate to contact us