In our previous blog post on Heartbleed we said that we would tell you more when we had finished our own cleanup. We completed our work this weekend. We replaced all our SSL certificates, and that required us to update the Silent Text apps themselves. We would also like to give a shout-out to our CA, Entrust, who is giving free updates to certificates for any of their customers who want to replace an SSL certificate over this issue.
We have thus updated all of our affected servers, replaced all our certificates, updated our apps, and tested and verified everything. It's been a busy few days, and our team has done a fantastic job keeping many things working as we revised the working infrastructure.
That means that there are two things that are a good idea for you, a subscriber, to do:
1. Change your password. Now that the servers have new certificates, it's a good idea to do that now.
2. Reset your devices. Silent Circle apps get provisioned with authentication tokens that let the app automatically connect to our servers and authenticate properly as a subscriber. There's a unique authentication secret for every service (Silent Phone and Silent Text) and every device that you provision.
Just as in theory, Heartbleed could leak passwords and keys, it could in theory leak the authentication tokens. By resetting the devices connected to your account, you throw away the existing tokens. You will need to re-provision your devices, but that's simple.
Then restart the apps, and re-provision. On Android, you only need to type your username and password once, and that provisions all the apps. On iOS, you'll need to type a username and password for Silent Phone, and get a provisioning code for Silent Text. We'll have an update for Silent Text that makes this easier soon.
That's it. Changing your password and resetting the apps tidies up all the security that could possibly have been leaked by Heartbleed.