The official blog on Trillian development.

OpenSSL Heartbleed Vulnerability Update

This past Monday, April 7th, the OpenSSL Project released an update to address a serious security issueCVE-2014-0160 – nicknamed “Heartbleed“. Any server or client application that depends on impacted versions of OpenSSL is vulnerable to a leak of encrypted secrets to a remote attacker. 
 

Trillian Cloud Infrastructure.
As of Tuesday, April 8th at 23:00 UTC, all of Trillian’s infrastructure has been updated and is no longer vulnerable. This includes our general-purpose web servers, the servers used to facilitate our web and mobile clients, and the IMPP servers that power our actual IM network. Because this attack could have exposed our TLS certificate, we’ve also generated a new private key and obtained a new certificate as a precaution. 
 

Trillian Clients.
Trillian for Windows versions 5.3.x.x to 5.4.0.15 are vulnerable to heartbleed. Although exploiting a client is a few orders of magnitude more difficult than exploiting a server, exploitation is still technically possible and we urge everyone to upgrade their clients as well. A new version, 5.4.0.16, is now available via auto-update and direct download. Other versions of Trillian, including Trillian for Mac, are not impacted by this vulnerability. 
 

In-House Trillian Servers.
All versions of in-house Trillian Servers are vulnerable to heartbleed. An updated version, 1.0.0.47, has been released and all in-house customers will be sent additional information directly via email shortly. If you’re not sure if your company has updated its server and need assistance or clarification, please get in touch. 
 

Passwords.
Because the surface area of this vulnerability is so large and impacts thousands of different companies, we recommend that all Trillian users change their passwords as a precautionary measure. The recommended way to change your password is from within Trillian itself, in preferences. This is also a good opportunity to review your overall password strategy: make sure you don’t share passwords between sites and that your passwords are as strong as possible!

60 Responses to “OpenSSL Heartbleed Vulnerability Update”
  1. DV THE FOX Says:

    How about fixing many things from the program itself?

  2. Cledson Silva Brito Says:

    Seria muito bom se fosse possível acessar o WhatsApp também pelo Trillian.

  3. Hal Says:

    I want to login to the forums to ask a question about this- but it won’t let me register to the forums…. SO…

    is the architecture of Trillian that it proxies my connections over to the various IM providers? I imagine so. do we know which of those are impacted and what password changes we need to make due to heartbleed for those?

  4. ?MED AFZA?©™ Says:

    Hello ,
    port does not work in skype unable to connect to Skype from Trillian server it there’s a long time since an update performed

  5. smw Says:

    Hal: We proxy connections on the mobile and web side, not on the desktop side. I believe a fair number of Yahoo’s web servers were impacted by this bug as well, but to be safe you should change passwords for all of the services you use, IM and otherwise. The impact of this bug was large enough that it’s impossible to determine what may or may not have been leaked.

  6. meeeeeeee Says:

    what the hell else is going to happen to users ? we cant rely or use internet or networking anymore. its either the government or a hacker that is killing off its use. FU ALL

  7. Yuriy Says:

    If you feel that you could do a better job running global networks and writing security software, you should definitely get on that.

  8. Federico Einhorn Says:

    Fix the damn skype plugin! It’s over 6 month now!

  9. Nick Says:

    As a reminder to people regarding password changes, do *not* bother changing them until you know the provider has patched their services. Otherwise, the password is still vulnerable. In trillian’s case, this is now “immediately,” but for other sites/services you should either wait a little while, or wait until they tell you to before you change the password.

  10. Holger Says:

    @meeeeeeee: Go hide under a rock crying.

    Any tech that is made by people is vulnerable, be glad that there is still some life left in Trillian so that they update the software for you, for free.

  11. Marcos Gama Says:

    In Every update I hope to find a real (and useful) spell check. In my opinion the lack of a fast change (sometimes I need to type in spanish other in english and in Portuguese most of the time) is the worst in Trillian. Trillian still the best multi plataform IM in the market. Please consider in install one with the “on the fly language change”. I use a old program, clipmate pro, and the developer use a basic but reliable spell check on it (works real fine, with many languages).

  12. samer Says:

    What about the improvements & bug fixes within the software itself?

  13. DMel Says:

    Did this update break anyone else’s skype? I use Win8.1 and I know I had to do a workaround to get Skype working before, but can anyone tell me if this update would have impacted skypekit?

  14. Tonia Says:

    Thank you!

  15. Radian Says:

    How about including the Skype patch for windows 8 which you’ve posted on the forums here.
    (Or just not overwriting it with the old broken one again ?!)

  16. Dunge Says:

    I agree with most post here. Why do you still provide the broken skypekit? Please update this asap.

  17. twig Says:

    You guys got this out pretty quickly, nice work!

  18. Betty Monfette Says:

    I still can’t get my Facebook chat to work. Any hints for that? Thanks!!

  19. Cledson Silva Brito Says:

    I want WhatsApp in Trillian

  20. JJ Says:

    Skype, facebook, linked in, yahoo, aim, gmail, msn, and several email accounts are all working just fine for me. Works great too!

    I do wish I could do video and screen sharing with Skype via trillian though. I have to start skype for that.

  21. banana Says:

    something something bitch and moan about free stuff.

  22. Tama-kun Says:

    THX for the security update, i also would like an update for the skypekit, it’s a really annoying issue!

    @Cledson Silva Brito: There wwon’t be a WhatsApp implentment in any 3rd part software, because WhatApp is bound to your mobile’s number and so to the device itself, if u like to have a desktop app you should try services like Telegramm or Line Messenger, there are several that offer a desktop app!

    Greets

    Tama

  23. Frank Says:

    @DMel

    Yep, my Skype is broken again too. Since the Devs don’t seem to be interested in fixing the issues I think this is the end of the road for me and Trillian…

  24. Dreadicon Says:

    To those asking about skype, they can’t fix it; microsoft is slowly, deliberately killing the ability for 3rd parties to connect, and eventually Trillian will be forced to drop support. Not their fault; blame M$. Yeah, I want Skype support. A lot. I’d trade half the other clients they support for it. But there’s not much they can do.

    To Trillian devs, thank you for fixing this, and being up-front about it! Many web companies are sweeping the biggest breach of internet security of all time under the rug. And I work in security; I’m on a team fixing this bug for a company now. It really is THAT BAD.

  25. Merijn Says:

    To all: I confirm that this update installs the broken SkypeKit version (and thus overwrites a version you patched yourselves), you will need to patch again after this update (seems to work here so far).

    Unfortunately it’s, and by a long shot not for the first time, CC not doing support very well for paying customers :(

  26. DLX23 Says:

    and where is our OTR plugin ? :( (

  27. Robert Says:

    Three updates and it still do not work when I try to double click or right click on email to view inbox with my msn.com mail account. Nothing happens.

  28. wat Says:

    skype wont work any longer because of microsoft. And whatsapp will probably never be a thing on pc except whatsapp inc wants it to. people should stop complaining..

  29. McByte Says:

    Thanx Trillian team 4 acting that fast! Skype runs fine, as always, don’t even need to start the NSA software :-D @ all moaning, get Trillian pro lifetime so the guys get some money to work furthermore that decently at the best multi IM… I love Trillian since years, having it on all my devices. Trillian WAY TO GO!

  30. Donna Edwards Says:

    Sorry guys, I’m done. This is the only website / program that I use that was vulnerable to this attack, sigh. I thought I was ok but now I find out that I’m not, how disappointing. Over the past year, this application has cause me more time and trouble than it is worth. I disconnected everything except twitter due to the constant errors so I barely use the app anymore. I wish you the best moving forward but unfortunately it is time for me to uninstall.

  31. mike barnhart Says:

    How about fixing the Yahoo! mail login issue where Trillian doesnt send the password automatically anymore???!?!?!?!?!

  32. Hank Cowdog Says:

    Thanks for the quick response to this issue.

  33. Sgluber Says:

    Nice job guys, thank you! :)

  34. robert jones Says:

    I agree with others. Please fix the bugs in this program and do something about skype access. Your service is now on the verge of becoming irrelevant. As a paid user i regret my decision to give you money.

  35. Joe Says:

    No OTR support yet too. Trillian just fails

  36. Trev Says:

    Thanks! To the moaning and whining crew, they pushed an update out to fix an immediate problem. Other issues that can be resolved I am sure are being worked on. But stuff like Skype that has been nerfed by MS is hard for them to fix.

  37. LittleCheetah Says:

    SKYPE: Haven’t gone through the ENTIRE blog, but had anyone said that Skype actually DOES work if you use a generic MS identity. You all have one, although probably have ignored it for years. If not, sign up for an *@outlook.com or *@hotmail.com or whatever microsoft is peddling at the moment. Skype was broken by MS only for custom identities.

  38. pixelologist Says:

    That was FAST!! Thanks, folks, for being so on the ball!

    * doing my bit to help balance out the whiny bitches :)

  39. DJ Says:

    Seeing people with issues using skype… just installed the update and all is working fine for me.

  40. smw Says:

    Regarding Skype: The crash occuring on Windows 8.1 is within ‘skypekit.exe’ itself, which is the SDK provided to us by Skype. In other words, it’s not our code, and we aren’t able to fix it ourselves as a result. We’ve reached out to Skype to see if they plan to fix it but haven’t received a response. This is likely because they’ve dropped support for the kit entirely and no longer really care about the crashes.

    We will investigate bringing back an older version of the kit into our official builds to avoid bricking those of you that patch yourselves each time. There are some issues with doing so (like introducing old bugs again) but those issues may be minor enough that it will ultimately be worth doing.

  41. I want my Skype Contacts! Says:

    Please fix the Skype problem. I am sick of logging in through Sonic Wall to another older computer with Windows 7 operating system to talk with the other Buyers. I want Trillian to work on my new laptop again with the Windows 8.1 update. Had I known about this problem I would have never allowed the IT guy to update my laptop. Now I’m screwed. No going back to Windows 8 he says.

  42. Jon Says:

    Thank you for this important update.

    Now how would I know if other sites that I have accounts on are using OpenSSL, and whether they have updated or not. UGH! I have so many passwords to reset.

  43. nick Says:

    My skype is still working after this update. Like someone said, it may be because I have a MS account.

  44. Heldamon Says:

    SKYPE, FIX IT

  45. Tlin Says:

    Well my Skype is working. Also after the Update. Win7 64 bit.

  46. f Says:

    I turned on Yahoo’s second sign-in, and generated an app password for Trillian. I keep getting a bad password response. Is Trillian not compatible with Yahoo’s second sign-in?

  47. Jerry Says:

    There is a link i can issue for people to see if there is the heartbleed bug in other websites, i have used it to test my website and fully update it, we have been either indirectly or directly effected by Heartbleed: http://filippo.io/Heartbleed/ <— Test your server it says, but you can use it for anything

    Websites i have tested include:

    Youtube,
    Google,
    Facebook,
    FGO (my own)
    weebly

    And a few others.

  48. Andrew Says:

    I only use this for facebook and its running ok. the only problem is trying to get messages sent on my phone via the official app to show up on trillian. Very annoying having missed messages.

  49. Miros Says:

    Good job guys, lightning fast reaction, thanks!

    However, it would be nice with a few enhancements to the app soon… Eg. Skype messages not being shown in correct order during a chat is pretty annoying…

  50. Scott Anger Says:

    I’m sure most folks are aware of the vulnerability. Maybe I missed it but you gave links to 1) the vulnerabiltiy, 2) a contact link (super plus!) and 3) a link to the update (also plus) but no link for your average user on instructions on how to change her password. Personally, I’m OK on how to do this but could really use an easy way to show others. Thanks.

  51. Dr.Flay Says:

    Hooray!
    Now how about fixing the certificate here https://help.trillian.im

  52. jessenic Says:

    smw: Why can’t you bundle both versions of skypekit with Trillian and select the older one if on Win8.1 and also adjust compatibility registry key of skypekit while installing/updating Trillian: http://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/bc32887d-4fcf-4416-aa22-36a93dfeb644/setting-compatibility-mode-programmatically

  53. FreedomDwarf Says:

    For all you moaning minnies out there whining about Skypekit (like Heldamon), it works fine here on my MSN account for most things.
    CC can’t update the skypekit because it’s NOT their code to fix!! FFS people, get a grip on what is a Trillian problem and what isn’t!!
    And yes, I agree, maybe they could fix the Yahoo issues a bit faster but I’ve been waiting for an A/V fix for…. many many years since it broke in v3.1.
    I bet most of these whingers are using the free version too!
    As for those bitching about Win8/8.1, it was billed as the biggest pile of poo since ME and Vista. Got no sympathy for you buying crap.

    CC got this major fix out there pretty damned quick! Quit complaining.

  54. SS Says:

    This morning, my PC client logged me out of Yahoo (yes it is the updated version) and I am unable to log back in claiming invalid password, however my iOS version will log me into Yahoo just fine. (yes, I have verified all password entries).

  55. coffee-turtle Says:

    We applaud you Cerulean Studios for addressing this matter as quickly as possible and taking all appropriate measures.
    Personally, I use your program daily on a number of platforms.
    Thank you.

  56. Lars-Erik Østerud Says:

    After I changed my password on all my account I have HUGE trouble with Trillan.
    AIM disconnect all the time (but when it connects all seems OK).
    Twitter won’t work at all. As soon as it connect Trillan crashes with a dialog box saying something went wrong :-(
    If Im am fast enough I can get Trillan started by unchecking Twitter in the account preferences.
    I even tried deleting it and readding Twitter, but no login-windows, just crashes again :-(

  57. Hantari Says:

    After the update I can’t log in automaticaly in yahoo mail, each time when I try they I have only the username and the place for password is empty.
    I don’t know if the problem came from yahoo or Trillian but is pretty annyoning because I have 4 accounts and I have to put the password for each one.

  58. kwk Says:

    @Lars-Erik: Make sure you are running the latest version of Trillian. Sounds like you may be running an older build with a Twitter crash that was fixed.

  59. Carl Says:

    XMPP connection to server with self signed certs is still failing. Please fix this because until then I have to use Build 10 which is vulnerable. I already opened a help issue regarding this and sent the log as requested and haven’t heard a thing back yet.

  60. AW Says:

    What exactly is the Skype problem? I stopped using Trillian because Skype wasn’t working on it. Haven’t the Trillian people bothered to explain?