Update on OpenSSL vulnerability and AnnoMarket
Following the disclosure of the Heartbleed bug at the beginning of this week, we would like to inform Annomarket users that we have taken all necessary measures to keep our system and your data secure.
The Heartbleed bug is a vulnerability in the popular OpenSSL cryptographic library which AnnoMarket uses to encrypt much of its HTTPS traffic. The vulnerability allowed, in theory, an attacker to obtain data which resides in the server’s memory. This could be sensitive information such as cryptographic keys or user credentials. However, there is no evidence that any AnnoMarket servers have been attacked.
The bug was discovered in the OpenSSL library, which is the most popular cryptographic library, used by millions of webservers over the internet. It is considered one of the most secure ways to do cryptography. Even so, as bugs are inevitable, it is important that the administrators of a service take prompt measures in order to mitigate the consequences. Here is what we did:
• We updated the OpenSSL library we use to a fixed version, which does not have the vulnerability
• We changed all our SSL certificates in order to make sure that even if our old ones have leaked, the traffic which passes through our system is securely encrypted with the new ones.
There is a small chance that your credentials have leaked. If you are concerned in any way, you can easily change your account password and generate new API keys at https://annomarket.com/yourAccount/index
Amazon have provided information about the fixes they have made to their services (some of which AnnoMarket use) – https://aws.amazon.com/security/security-bulletins/aws-services-updated-to-address-openssl-vulnerability/
If you are curious about the Heartbleed bug, you can read more about it here – http://heartbleed.com/
Please contact us via this website or on Twitter @AnnoMarket if you have any other concerns.