How does the Heartbleed security bug affect Linguaquote and its users?

You might have heard about a security bug known as 'Heartbleed' in the news or from any online services you are registered with. If not, try checking the blogs of some of the other secure services you use and you might find a mention.

It's a serious bug in an extremely widely used encryption protocol (related to the more secure https, or 'padlock' versions of sites). It allows attackers to snatch 64kb of memory from the server's RAM, leaving no trace, letting them repeat the attack ad infinitum. Anyone logging in at the time may have their scrambled usernames/passwords/file transfers unscrambled by attackers who must spend long enough on the job to retrieve the key and then apply it to the intercepted session data. Sites employing SSL/https/the browser padlock are now carefully updating their versions of OpenSSL (the software behind the bug) and resetting user passwords out of fear of these having been previously decrypted and stored for future abuses (especially given that most email/password combinations are used on more than one site).

The chances of an attack on a high-traffic site with lots of users and private data are much higher than on those with low traffic, low users, low activity. The state of Linguaquote, for the last few years, has been the latter. I've been working on many other things in the intervening period, and slowly developing LQ in my spare time. Few people log in at the moment, and those who do are sharing no confidential data (the encrypted file upload feature has only recently been implemented). I'm quite confident that it is highly unlikely that we were targeted in an attack by the few who could have possibly known about this bug before the researchers. Despite this I am still very keen to take any precautions necessary.

Here are the concrete steps taken, and a word of advice on what you can do:

  • Perfect Forward Secrecy, or PFS, has been in use on the LQ site from day 1, meaning any previous keys stolen in an attack only apply to that one session, and render it near impossible to decrypt data retrieved at that or any other point in time. PFS is like an extra layer of encryption, employed by only around 6.3% of the 25% of the web's 160,000 most popular websites that actually employ any encryption. To be clear, that's 6.3% of the 40,000 sites employing encryption at all use PFS, or just 2520 sites from the most popular 160,000 sites online [1]. Click the padlock symbol to find out more about the encryption used (look up ECDHE for more information) on the site. Due to this fact alone, you have very little to be concerned about for your data with Linguaquote.

  • OpenSSL is now patched on this server (as of 08.04.14), preventing future attacks of this nature.

  • Site passwords are stored encrypted, only known to the user and irretrievable by anyone else.

  • Files stored on the server are encrypted on upload, and so are never at rest in plain text.

  • As major news outlets are now recommending, changing any passwords shared between sites is advised, given how widespread the attack surface is. If one site was compromised, and your user/pass combination was involved, assume that it will be automatically tested against Paypal/bank/email accounts.

To wrap up, I'll just note that this blog post ought to shine some light on the level of attention Linguaquote pays to the protection of user data. This kind of threat continues to put even small and medium sized businesses at risk of data theft, and so Linguaquote does not rest on its laurels, having protected users from the start, and continuing to do so into the future.


Add new comment

Sharing license

This post is licensed under the Creative Commons Attribution license. We have done this to encourage translations into any language, with a credit link back to the original. Feel free to print and share copies in your business, school or university, or to publish your own translation, and be sure to let us know if you do!

We would like to actively discourage reposting it verbatim, at least not without a canonical link, to show search engines that this is the original post. An alternative way to use the post's information is to use it as a key source for a completely re-written post, still giving credit as per the license. Thanks for your understanding.

Get the latest on translation, freelancing and business.
(You'll also get our Translation Marketing Checklist)