Heartbleed: What XDA Did to Patch This Critical Internet Flaw
Pardon this break from our usual mobile development news for a short brief on a recent security vulnerability that affected XDA. Heartbleed is rightly considered to be one of the most dangerous bugs to hit the Internet in a long time, if not ever. Since XDA’s servers were vulnerable to this exploit, we wanted to let you know what we did to fix this problem and what steps you could do to mitigate an issue like this in the future.
As soon as the severity of this flaw was understood, we immediately patched our servers with the new version of OpenSSL. Some of our infrastructure uses custom-compiled Nginx, which utilized the flawed OpenSSL library. Other services use the binaries provided by the OS (for example, CentOS or Ubuntu). That fixed the critical issue of random-bits being displayed to an attacking user, which could then be used to steal session information or reveal our private certificate from which we encrypt SSL traffic. In theory, that means if someone has that certificate and has collected our traffic, they could decrypt it to see what was transmitted. This is an unlikely situation, but due to the length of time this bug was active within OpenSSL, it is a concern (especially considering the latest revelations of mass data surveillance.)
In addition to XDA-run services, we also rely on a third party to carry some of our traffic through the Internet using a CDN-like service. Even though our internal services were patched, this external service required some additional time to fix their implementation of OpenSSL. We opened a ticket with them and within a few hours they also had provided a fix.
As a second step, we are regenerating our SSL certificates with a new private key. Our certificate provider hasn’t yet sent this to us, so we are just waiting on that to install a new certificate. (Keep an eye on this thread, we’ll update it when this has happened.) This is just in case someone was able to successfully steal our private certificate, although there is no evidence that this happened. If you want to be extra paranoid, after we install the new certificate you can set a new password.
Finally, it is important to note that XDA does not pass the vast majority of it’s traffic through SSL (i.e. https) connections. This is largely due to factors outside of our control, having to do with user-generated content, advertising, and the platforms we are using. One of our goals is to eventually have all of our traffic encrypted, and we continually work towards this.
To avoid having your private messages stolen via a bug such as this, here is a tip: Make sure to encrypt your messages that are sent to external/cloud services (including XDA) using something like GnuPG. This ensures that your messages cannot be read even if the traffic is intercepted, unless the intercepting party has your personal certificate.
If you have any questions or comments, please be sure to leave them below!