TeleSign’s operations and engineering team has conducted a comprehensive security audit of our systems confirming that we were not susceptible to the Heartbleed vulnerability. As should anyone who provides a Internet service, our audit involved a review of all systems and devices that utilize the OpenSSL library for SSL communications.
Heartbleed is a good warning message to people about security and a perfect example of why TeleSign chose to use HMAC-based authentication when we developed our REST APIs. Because TeleSign uses HMAC and authentication happens because of a shared secret, TeleSign’s customers’ credentials are never passed over encrypted SSL connections as part of a transaction with the TeleSign service. When TeleSign launched our RESTful API’s we blogged in detail about this feature. Please read here about why HMAC is better: https://www.telesign.com/blog/post/restful-apis.
For TeleSign customers who are still using our legacy SOAP API’s you can rest assured that TeleSign’s infrastructure was not vulnerable to this attack, however you should carefully consider moving any Internet service you use to the more secure HMAC based authentication.
Unfortunately many, many Internet service providers were impacted. If you are a provider of SSL based services on the Internet you should immediately upgrade to the latest version of OpenSSL. Furthermore you should create a new SSL private key and then regenerate the SSL certificates that you are using, as if your private key was stolen during the vulnerability window (over two years depending on when you started using OpenSSL 1.0.1). Any SSL conversation with your site could be at risk in the future without taking this step.
For everyone who isn’t running their own SSL server on the internet, which is 99.9% of people who are reading this, there are two simple things you can do:
- Once your provider announces they have secured themselves from this vulnerability reset your password. During the window that a provider of any service on the internet was unpatched your password could have been compromised.
- If your provider has an option for two-factor authentication (2FA) turn it on! 2FA will always protect you even if your password is exposed. If more people used 2FA today this would still have been a huge bug but at least users’ accounts would have been dramatically less vulnerable.
Heartbleed is a nightmare for any provider on the Internet who was vulnerable to it. Fortunately TeleSign was not impacted. Due to our implementation of HMAC, even if a customer’s SSL conversation is somehow compromised the credentials that TeleSign customers use to log into and use TeleSign’s services is safe from SSL snooping.