[OSRM-talk] Our reaction to the heart bleed SSL bug

Dennis Luxen info at project-osrm.org
Wed Apr 9 20:23:39 UTC 2014


Dear OSRM API users,

a couple of days ago, we announced the availability of an HTTPS/SSL endpoint for our public API server. Then the  Internet-wide security bug in the OpenSSL framework struck. It is known as the heart bleed vulnerability [1]. We would like you to know that we have taken appropriate steps to mitigate the risks as soon as we learned about this issue. Specifically, we

- updated the affected OpenSSL libraries,
- set up two-factor authentication for admin access [2],
- renewed the SSL certificate provided by Globalsign,
- configured perfect forward secrecy for SSL, and
- changed all passwords

as precautionary measures across all our servers.

These changes require no further changes on behalf of our users, and we have no reason to believe that any communication or server access has been compromised.

Kind regards,
Dennis


[1] http://heartbleed.com
[2] http://en.wikipedia.org/wiki/Two-step_verification
[3] http://en.wikipedia.org/wiki/Forward_secrecy


More information about the OSRM-talk mailing list