Update / 7:06 PM Tuesday, April 8, 2014 (GMT)
All traffic to Trovebox services over SSL/HTTPS is now secured against the heartbleed bug.
Update / 7:01 PM Tuesday, April 8, 2014 (GMT)
SSL certificates have been re-keyed and deployed.
Update / 6:14 PM Tuesday, April 8, 2014 (GMT)
All web servers have been patched.
Update / 5:49 PM Tuesday, April 8, 2014 (GMT)
All of our ELBs have been patched.
It was released yesterday morning that a major security issue was found in software used by a large part of the Internet. It’s named the heartbleed bug and affects communications done over SSL/HTTPS. We’re actively working on making sure that Trovebox sites are no longer vulnerable to this issue.
We terminate SSL connections at our AWS ELBs and found out that ELBs were vulnerable to the heartbleed bug.
We employ two sets of web servers. One set serves traffic for our main site at trovebox.com. Those web servers were never vulnerable and we don’t need to make any changes to them. The second set serves traffic for your account (i.e. https://current.trovebox.com). These web servers were vulnerable and we’re working to patch them. Please remember that we terminate most connections at an AWS ELB and those were known to be vulnerable. This means that SSL traffic to all Trovebox resources were subject to the heartbleed bug.