Biztrackr NOT Affected by Heartbleed

As many of you have heard, the Heartbleed vulnerability is wreaking havoc on the Internet this last week. Everyone is scrambling to see which of the services they use were affected and what to do to mitigate any exposure. We have been investigating this vulnerability as it pertains to Biztrackr, and the short answer everyone wants to hear is that Biztrackr was not affected in any way.

Biztrackr is built on top of Microsoft Internet Information Services (IIS) and use Microsoft's implentation of SSL/TLS called Secure Channel. This is different than OpenSSL and is not affected by Heartbleed. As a security enhancement, we have also already upgraded our servers to use Perfect Forward Secrecy (PFS), so even if there ever was a similar vulnerability found in Microsoft's implementation, our exposure would be minimal.

We also looked into the systems we use for online backups since those systems transport Biztrackr data as well. We use Amazon Web Services S3 and JungleDisk for backups. Amazon Web Services were partially affected by Heartbleed, but Amazon has announced that they have "either determined that the services [including S3] were unaffected or have been able to apply mitigations that do not require customer action." JungleDisk released a notice that they "did not have the vulnerable (D)TLS heartbeat extension enabled," so JungleDisk was also not affected.

If you have any other questions about the security of Biztrackr, feel free to submit a support ticket or post a message in our forums.

Bryan

Related Links

• US-CERT OpenSSL 'Heartbleed' vulnerability
• OpenSSL Security Advisory
• Heartbleed
• Perfect Forward Secrecy
• RFC2409 Section 8 Perfect Forward Secrecy
• AWS Services Updated to Address OpenSSL Vulnerability