Security Notice: OpenSSL Heartbleed Bug
Like many other services on the internet, Rowing in Motion Analytics was affected by the OpenSSL Heartbleed bug, which allowed potential attackers to reveal the contents of small portions of server memory contents. In the case of Rowing in Motion Analytics, this bug affects information going through the nginx-based load balancers of our hosting plattform AppHarbor. These load-balancers sit in front of the Rowing in Motion Analytics application servers and termintate all incoming SSL connections and distribute them on a secure private network to the application servers. This means that no memory content of our application servers could have been revealed through this vulnerability nicknamed the “Heartbleed bug”.
Together with AppHarbor and other service provides that we use to provide Rowing in Motion Analytics, we have responded promptly to this vulnerability and all affected systems have been patched. (You can verify this using the Heartbleed test). In line with recommended best practice, we have taken additional precautions to ensure the security and integrity of the service. Specifically we have
- Revoked and re-issued the SSL certificate used by https://analytics.rowinginmotion.com
- Changed all user credentials used with affected third party services
- Invalidated all session cookies, which means all users will have to log in to their accounts again
- All SSL connections to Analytics are now based on perfect forward secrecy
We have no indication that this vulnerability was exploited on Rowing in Motion Analytics. If you are concerned, you may want to change your password used to sign into Analytics.
We take the security and sensitivity of the user data that we store very seriously. This means that we will publicly announce any security incidents that might affect the service and user data, even if we have no indication that data was actually compromised as in this case. Feel free to write to johannes@rowinginmotion.com with any questions or concerns you may have.