Apr 25, 2014 By Devin
It has been a little more than two weeks since the SSL/TLS bug known as Heartbleed hit. LaunchKey systems utilize OpenSSL and were patched immediately after a fix was available. This was important as our systems were updated before any proof of concept code was public and well before it was even proven that certificates and keys could be obtained. After our forensic analysis, there is very little evidence that this bug was ever used against LaunchKey systems. However, as a precaution we've had to update our SSL certificates and keys. We also terminated all active sessions at the time (Monday April 7), requiring re-authentication as a precaution.
LaunchKey authentication itself was not affected by Heartbleed. In fact, while everyone needs to reset their passwords (and OTP tokens) at sites affected by Heartbleed, LaunchKey mobile users can rest easy knowing their secure credentials remain decentralized on one's mobile device.
LaunchKey is encouraging developers to update their LaunchKey API keys. Again this is a precaution, but we will be disabling applications that do not have new keys in the near future. To get new keys, simply log in to LaunchKey Dashboard.
This update process took us longer than we liked because we use a security practice known as SSL pinning to ensure that our mobile applications are only communicating with LaunchKey servers. Both iOS and Android applications had to be updated and approved (iOS) to communicate with our new certificates. These updates have been available for more than a week now, and we are confident our users have had a chance to update their applications.
WHERE DID WE STAND BEFORE HEARTBLEED
The LaunchKey SSL setup is routinely audited and updated as necessary. For more than a year LaunchKey has utilized HTTP Strict Transport Security (HSTS) and Perfect Forward Secrecy (PFS) in our implementation. Having PFS enabled prior to this bug was vitally important, as every SSL/TLS session could not be cracked by simply having the master certificate/key to all of the previous traffic.
WHERE DO WE GO FROM HERE
In order to immediately respond to a similar situation in the future we have implemented improvements to our mobile SSL pinning. In the future revoking a certificate, even if a new key is required will be quick and seamless for all parties without a mobile update needed.
If you are a LaunchKey user or developer and have any questions regarding Heartbleed, please do not hesitate to contact us!