Heartbleed Vulnerability Update

On Monday, April 7th the Heartbleed bug was announced by OpenSSL. Heartbleed is a vulnerability in the OpenSSL cryptographic library, you can get details at http://heartbleed.com/

Was Passpack vulnerable?

Passpack utilizes OpenSSL and we were vulnerable to this bug. Our systems were updated this morning April 8th, new SSL Keys were generated and new SSL Certificates requested and deployed. So Passpack is no longer vulnerable, we have also had a feature called “perfect forward secrecy” enabled on our SSL connection for some time which eliminates the ability to decrypt traffic retroactively. 

What should I do?

Sensitive data that is sent to Passpack is encrypted with a key that is not transmitted to our servers so your data is never transmitted over SSL unencrypted. While Hearbeat is a serious issue, your stored data would not have been affected. There is a concern that a Man In The Middle attack could have masqueraded as Passpack and served malicious Javascript back to users and compromised their Packing Key. While we do not have any evidence that any customer data was compromised, after analyzing the issue we feel it is better to err on the side of caution and recommend changing your Packing Key https://help.passpack.com/knowledgebase/idx.php/33/157/article/How-to-Change-Your-User-ID-Password-or-Packing-Key.html and we also recommend enabling two factor authentication on all accounts.

Since roughly 2/3 of the internet was also affected by this vulnerability we also recommend that you consider changing your passwords at other sites as they were likely vulnerable to the same attack.


  1. Jeremy

    Your ssl certificate, according to my browser, says it was generated 4/6, before the announcement of heartbleed. Will you be updating it?

    • Passpack

      Edit: We re-keyed and re-generated our SSL certificate this morning on 4/8 after patching. You are seeing the “Valid from Date” There is no “Issued Date” in the certificate.

  2. Marlin

    While what you say is no doubt true, the LastPass Heartbleed checker at https://lastpass.com/heartbleed/ leaves room for doubt about your site. I would think you would probably want a better result to present to users of that tool.

    • Passpack

      Yes you are right, it is unfortunate that the tools we have seen imply that the valid from date indicates when the certificate was generated. We have initiated another round of keying.

Leave a Reply