Heartbleed Security Advisory

Sid Stamm

14

Issue

OpenSSL is a widely-used cryptographic library which implements the TLS protocol and protects communications on the Internet. On April 7, 2014, a bug in OpenSSL known as “Heartbleed” was disclosed (CVE-2014-0160). This bug allows attackers to read portions of the affected server’s memory, potentially revealing data that the server did not intend to reveal.

Impact

Two Mozilla systems were affected by Heartbleed. Most Persona and Firefox Account (FxA) servers run in Amazon Web Services (AWS), and their encrypted TLS connections are terminated on AWS Elastic Load Balancers (ELBs) using OpenSSL. Until April 8, when Amazon resolved the bug in AWS, those ELBs used a version of OpenSSL vulnerable to the Heartbleed attack.

Because these TLS connections terminated on Amazon ELBs instead of the backend servers, the data that could have been exposed to potential attackers was limited to data on the ELBs: TLS private keys and the plaintext contents of encrypted messages in transit.

For the Persona service, this included the bearer tokens used to authenticate sessions to Persona infrastructure run by Mozilla (including the “fallback” Persona IdP service). Knowledge of these tokens could have allowed forgery of signed Persona certificates.

For the Firefox Account service, this included email addresses, derivatives of user passwords, session tokens, and key material (see the FxA protocol for details).

Raw passwords are never sent to the FxA account server. Neither the account server nor a potential attacker could have learned the password or the encryption key that protects Sync data.

Sensitive FxA authentication information is only transmitted during the initial login process. On subsequent messages, the session token is used as an HMAC key (in the HAWK protocol), and not delivered over the connection. This reduces the amount of secret material visible in ELB memory.

Status

We have no evidence that any of our servers or user data has been compromised, but the Heartbleed attack is very subtle and leaves no evidence by design. At this time, we do not know whether these attacks have been used against our infrastructure or not. We are taking this vulnerability very seriously and are working quickly to validate the extent of its impact.

Amazon has updated their ELB instances to fix the vulnerability. We have re-generated TLS keys for all production services, and revoked the possibly exposed keys and certificates. Subsequent sessions with Persona and Firefox Accounts are not vulnerable to the Heartbleed attack.

As a precaution, we have revoked all Persona bearer tokens, effectively signing all users out of Persona. The next time you use Persona you may need to re-enter your password.

Because Firefox Accounts session tokens are not used as bearer tokens, we believe it was unnecessary to revoke them.

Additional User Precautions

Although we have no evidence that any data was compromised, concerned users can take the following additional precautions:

  • Persona: if you have a fallback account, you can change the password. This will require you to re-enter your password, on each browser, the next time you use Persona.
  • Firefox Accounts (FxA): you can change your account password. This will invalidate existing sessions, requiring you to sign back into Sync on all your devices. Devices will not sync until you sign back in.
  • If you have used the same password on multiple sites or services, in order to protect yourself, you should change the password on all services.

14 responses

  1. Carol Beatty wrote on :

    So, as a Firefox browser user, do I need to change my passwords for all the websites I access?

    1. Nathan wrote on :

      Unless all of the passwords are the exact same as your persona password, no. I’ve changed both my Persona and Sync passwords, and since I use that specific password in one other place, there too. Everything else is fine.

    2. Daniel Veditz wrote on :

      There’s no blanket answer. Not all sites were affected by the bug and you don’t need to do anything on unaffected sites (unless you use the same password everywhere). On affected sites there’s no point changing your password until after the sites have been fixed. Unless a site makes an announcement (as we have here) it’s very hard to know.

  2. Rod Johsnon wrote on :

    Chrome released an extension to detect websites affected by the vulnerability. Any plan for Firefox to do the same?

    1. Daniel Veditz wrote on :

      It’s not “official” but we do have https://addons.mozilla.org/en-US/firefox/addon/heartbleed/

  3. Rohan wrote on :

    Guys I have changed firefox accounts passwords, do I need to change all the passwords saved in my firefox browser.. Are they affected or not ??

    1. Sid Stamm wrote on :

      Heartbleed doesn’t affect Firefox, just some of the web sites you might have visited.

      Your passwords are safe in Firefox’s password manager, but it wouldn’t hurt change your password on any sites that were vulnerable to Heartbleed (once they fix their servers).

      It’s also possible none of your passwords were leaked–even if some of your favorite sites were affected–but if you’d like to be extra safe, changing passwords is a good idea.

  4. Manuel wrote on :

    What about “addons.mozilla.org”? Is or was this server affected by the heartbleed bug?

    1. Sid Stamm wrote on :

      Many of our services, including addons.mozilla.org, were not affected by Heartbleed due to the infrastructure and SSL implementation they use.

      1. Rich Gray wrote on :

        “many of our servers … were not affected by Heartbleed”.

        Sorry, that’s not good enough. I need to log into bugzilla.mozilla.org. Safe or not safe? How much do I have to dig to figure this out?? I’ll probably jump into irc to see if I can get an answer from #BMO(?) Oops, that’s SSL too – it it safe?? If I seem frustrated, I am. I’ve yet to encounter a site which has an unambiguous statement about Heartbleed on it’s main page. It’s a @#$% mess! IMHO, sites should have an obvious link to a definitive statement on Heartbleed (especially if the site was vulnerable.) The statement should fall into three categories:

        1. Due to software used or configuration our site was never vulnerable to Heartbleed.

        2. This site was vulnerable to Heartbleed. The problem has been fixed (software patched, certificates revoked and replaced, … ) Users should change their passwords and watch out for any suspicious activity.

        3. This site is vulnerable to the Heartbleed bug. Do not login until we have the problem fixed. You will then have to change your password. Watch out for any suspicious activity.

        Mozilla.org should set an example of this, which I think should be best practice. Since some services were affected and some not, I submit there should be a page which lists all of the Mozilla services, indicating which were and weren’t affected. Links to this page should be prominent.

        1. Exactly wrote on :

          Nothing on financial services’ websites.

          At best, you get a vague, meaningless PR statement along the lines of “We care about security… no reason to believe accounts were compromised”. I’m not blaming the clueless chap taking my call, but whoever provided him with this inanity to recite needs to find a job more suitable for their skills.

        2. Frederik Braun wrote on :

          Some servers were affected. They got a new certificate and are safe to use again (Since Tuesday).
          Some were not. So they didn’t get a new certificate as they were and are still safe to use.

  5. Jann wrote on :

    Good on getting the word about about the extension in the Associated Press articles…now, if Mozilla would just review it (or show it as reviewed), I’d feel much more comfortable using it.

    Thanks!

    Jann

  6. ADAMAS wrote on :

    PER CHROME, HEARTBLEED SI E’ INSTALLATO FACILMENTE,MENTRE FIREFOX , DALLE SUE ESTENSIONI NON LO SCARICA.COME FARE?. CORDIALMENTE DR.ADAMO ADAMAS