Recovering from Heartbleed

Friday, 11 April 2014

If you’ve followed the news from this past week, you may have heard about the “Heartbleed” security issue that’s affected a large part of the Internet. I wanted to take a few moments to update you about what we’ve done to recover from this issue and protect the data of contributors and users of OpenMRS.

We want to set a good example as a leader in the free and open source software community, and we care about the security and privacy of your data. So this past week, we took every available step to recover from this security incident. If you are an OpenMRS implementer and use SSL in your OpenMRS installations, please be sure you follow a similar approach as soon as possible, based on your assessment of risk and impact.

Our community infrastructure team at OpenMRS has been hard at work during this week to make sure your information and accounts used to access OpenMRS community resources are safe. Special thanks to Ryan Yates and Elliott Williams for their hard work this week. Although we have no indication that there was any breach of privacy or security, here are the proactive steps we took this week:

  1. We updated all our web servers. The bug that was discovered was introduced in OpenSSL (an open source security software component) a couple years ago and was an honest mistake, but was just announced this week. As soon news broke on Tuesday morning, we immediately began installing the upgrade provided by OpenSSL. This process was completed on Tuesday.
  2. We tested all our web servers. After upgrading OpenSSL, we tested those servers to make sure they were no longer vulnerable to this security issue. You can test them for yourself using tools like https://www.ssllabs.com/ssltest/.
  3. We updated our SSL certificates and revoked the old ones. We generated new SSL security certificates for our web servers and installed them, and then triggered a “revocation” process for the old certificates. This means if someone were able to (although highly unlikely) obtain our SSL certificate keys, that old certificate would no longer be considered valid by web browsers that check for certificate revocation. (You should check with your web browser’s settings to see if it’s configured to do so, and turn it on if not. It’s not perfect, but it can help.)
  4. We began assessing our infrastructure to increase use of Perfect Forward Secrecy. PFS is an improvement on SSL that prevents the use of a compromised private key to decrypt past communications. Some of our tools are already enabled with PFS, but others are not. We will work to enable PFS and HSTS wherever possible.
  5. We cleared all OpenMRS ID passwords. Although we have not found any indication that it happened, it is technically possible that someone was able to intercept traffic on one of our web servers, and obtain our users’ password or other sensitive information. Therefore, we have cleared all passwords and are requiring users of our community tools to reset those passwords before further use.

What this means to you

If you have an OpenMRS ID to use our online community collaboration tools like JIRA, our Confluence Wiki, OpenMRS Talk, etc., you’ll need to reset your OpenMRS ID password before you can continue to access those services. To do so, please visit https://id.openmrs.org/reset** and follow the instructions. If you have any problems with the password reset process, please write to our support team at helpdesk@openmrs.org, or visit: http://go.openmrs.org/helpdesk

As always, thank you for your support!

Michael Downey
OpenMRS Community Manager

** You’ll need to type this in to your web browser rather than clicking a link. This helps you be sure that you’re going to the legitimate password reset page.

No comments yet.

Leave a Reply