The Heartbleed bug has sparked security reviews at many companies and GoSquared is no exception. We handle a lot of data in our applications and through tracking. Much of that is sensitive (IP addresses, email addresses etc.) and therefore we have a serious responsibility to keep that data as secure as possible.
We’re continually working on our security and have made some great steps forward in the past few months (and even more so in the past couple of days since the Heartbleed bug was made public). I want to share a few of the recent improvements, fixes and changes that we’ve released at GoSquared.
Heartbleed bug fixed
We use Amazon Elastic Load Balancers for all traffic to gosquared.com and our other domains. Therefore the Heartbleed bug was fixed on the 8th of April. We’ve re-keyed our SSL certificate —and revoked the old one— so traffic to GoSquared is no longer vulnerable.
User Sessions
In response to the Heartbleed bug, all user sessions will be revoked at 18:00 UTC today (9th April) requiring all users to log in again. The ability for us to revoke and track user sessions was added late last year, and manual session management will be made available to our customers in the near future to provide significantly better control over account access.
Perfect Forward Secrecy (PFS) and TLS 1.2
We’ve taken this opportunity to review our SSL/TLS configuration and today we enabled PFS for all gosquared.com traffic. This change means that even if somebody gains access to our certificate and private keys, they will not be able to decrypt any previously intercepted data sent either to or from us. All traffic to gosquared.com is already forced to use SSL, and tracking data will use SSL so long as the site we’re tracking from is secure.
Additionally, we’ve upgraded to TLS 1.2 which means there is no longer a dependency on MD5 and SHA-1. There are also some new, modern cipher suites which can be utilised (dependent on browser support).
Passwords
Alongside our user sessions improvements, we completely reimplemented our password systems to use modern hashing systems. Even if somebody was able to gain access to our entire database, they should not be able to decrypt any passwords. This new system is orders of magnitude more secure than most salted password backends. We’re using Scrypt to ensure significant computational power would be required to generate rainbow tables.
We’re planning to enable multi-factor authentication in the near future for an extra level of security.
Conclusions
We have no evidence of unauthorised access to any GoSquared accounts. However, in line with advice from the Open SSL community, we would actively encourage our customers change their passwords as a precautionary measure. If you spot anything at all suspicious with your account, please report it immediately to security@gosquared.com.
We’ll continue actively monitoring security and post any further updates on the blog.
