Category Archives: security

Heart-not-so-bleed!

Executive overview

Cyphertite was not vulnerable to the Heartbleed attack.

Management overview

Disclaimer: These findings are true for the Cyphertite service ONLY. We are not making any statement about other people’s results and/or attack surface.

We did not receive an advance warning of the Heartbleed vulnerability. As soon as the news broke the Cyphertite team shut down all services and began investigating its exposure. We quickly established that the website was not at all vulnerable to Heartbleed (it uses OpenSSL 1.0.0f) but we used a vulnerable version of OpenSSL on the service itself (OpenSSL 1.0.1c). The service was patched and brought back online with 3 hours of the Heartbleed announcement, however, at that time, we did not know the extent of Cyphertite’s exposure.

Continue reading

HTTPS safe? maybe not!

At Conformal, we keep up with the most secure cryptography technologies available and implement these technologies into our products and services whenever possible. However, we consider ourselves the minority in this practice, with most other sites only offering the bare minimum in terms of security. Amid the recent PRISM leaks, more and more attention has been drawn towards mass acceptance of one such technology, known as Perfect Forward Secrecy (hereforth referred to as PFS). This blog post will cover how HTTPS without PFS fails to protect today’s communication against tomorrow’s attacks, how PFS is able to prevent against these attacks, and the current state of PFS on the web and Conformal’s servers.

Continue reading