OpenSSL Heartbleed Update

The internet was recently rocked by the announcement of a critical vulnerability in OpenSSL dubbed Heartbleed. Libraries provided by OpenSSL are used by approximately two thirds of companies on the internet to secure their communication. Companies across the internet are now working to both patch the vulnerability as well as take appropriate precautions against any potential exploits of the vulnerability. This vulnerability has been given the CVE (Common Vulnerabilities and Exposures) identifier of CVE–2014–0160.

Braintree’s response to Heartbleed

Braintree was using a version of OpenSSL that was vulnerable to Heartbleed at the time of the announcement. The affected systems at Braintree were patched immediately upon the announcement of the vulnerability and were cleared the same day as the announcement. We also reviewed our connections with third parties and confirmed that all impacted third party integrations have been patched and mitigated accordingly.

At Braintree, security is our highest priority and we know that you entrust us with extremely valuable data. We employ intrusion detection and a number of monitoring techniques and have no evidence that any data was compromised from our servers. However, given how pervasive this bug was across the internet and the fact that it exposed a fundamental layer of internet security, SSL, we are proceeding with an abundance of caution. Because the vulnerability may have exposed private SSL keys, we are in the process of rotating these keys now and reissuing the affected certificates. To ensure that service is not interrupted, we will need to take the appropriate time to test the new certificates. We have opened an incident on our status site that you can follow to get updates on the certificate replacement.

What you should do as a merchant

To be safe, we are recommending that merchants update authentication information with any secure service they use, including Braintree. We recommend that users change their Control Panel passwords and rotate their API keys. Please contact our support team at 877.434.2894 or support@braintreepayments.com with any questions.

Along with recent data breaches at major US retailers, the Heartbleed bug may add to the amount of stolen information available to fraudsters across the internet. Braintree provides free, sophisticated fraud tools that can help protect you from fraudsters using stolen information to buy from you. If you’ve not implemented these fraud tools already, we strongly recommend that you do now.

Going forward

As always, we are closely monitoring for any unusual activity and will alert you immediately to any changes in status. We are investigating additional intrusion detection in light of this vulnerability. Additionally we are taking the same precautionary measures that we have recommended to you, including having all Braintree employees change their passwords and continuing to monitor the Heartbleed status of our partners.

***
John Downey John Downey is the Security Lead at Braintree. In his free time he contributes to open source projects and mentors high school students in the FIRST Robotics Competition. More posts by this author

You Might Also Like