We are sure that you have heard about the Heartbleed bug. Heartbleed attacks the heartbeat extension (RFC 6520) implemented in OpenSSL. The official reference to the Heartbleed bug is CVE-2014-0160. We want to give an update about how it does and does not affect Silent Circle.
We use a diversity of SSL systems in Silent Circle. Our whole Silent Phone infrastructure uses PolarSSL, not OpenSSL, and consequently is unaffected by this bug. Silent Text clients use the native SSL for iOS and Android, which is sometimes OpenSSL on Android, but the problem is primarily a server issue.
Our Silent Text servers and web servers use OpenSSL. All of our servers that use OpenSSL were upgraded within two hours of hearing about the Heartbleed bug. To those servers, over 99% of the observable traffic uses the Perfect Forward Secrecy crypto suites, and thus the existing risk is mitigated. We say “observable” because our customer account servers don’t log and we had to infer the statistics.
Silent Circle is secure, the threat has passed; the few servers that were vulnerable are upgraded. We are now looking at additional mitigations that we feel we should do, including replacing SSL server certificates. We’ll update you as soon as we have more to say.
- Security Bugs